Re: Hacme Bank

[Rush Molekilla <molekilla () gmail com>]

Nice app!

The only problem I had while trying to hack ASP.NET Application in
localhost with my tool (Ecyware GreenBlue Inspector) is that both use
the .NET thread pool.

But nice ASP.NET, super great.

Thanks,

Rogelio Morrell C.
Ecyware


On Wed, 8 Sep 2004 10:03:43 -0400, Mark Curphey <mark () curphey com> wrote:
> Just to let you know in the next hour or so the links should go live to our
> new free tool, Hacme Bank on the Foundstone web site
> (http://www.foundstone.com/s3i).
>
> You can see the press release here;
>
> http://www.tmcnet.com/usubmit/2004/Sep/1071232.htm
>
> It's an online banking application written in C# ASP.NET (requires IIS and
> .NET framework 1.1 to install) with a set of security holes replicating real
> world things we have found in client engagements over the last 9 months. It
> serves as a "real world" training application for web application pen
> testing and education for developers.
>
> Its free for non-commercial use and we are already working on the next
> version to include some more user management issues.
>
> All of the lessons are screen captured and documented so you can step
> through all of the issues. These are in a "User and Solution Guide" PDF in
> the web root by default.
>
> It is not designed to be a good benchmarking platform for automated tools
> but it is interesting to compare the results of your favorite tools with the
> holes in the bank (we have done this) or put it behind a "web app firewall"
> (no uptake from my recent challenge I am afraid, go figure!).
>
> The experienced can start attacking the login field when installed and the
> less experienced can walk through the lesson plans.
>
> Mark