WebApp Sec mailing list archives
RE: [WEB SECURITY] "hack-me" Ajax apps?
From: "Jeff Robertson" <jeff.robertson () digitalinsight com>
Date: Wed, 16 Aug 2006 14:28:11 -0400
I was thinking mainly of authorization and authentication (or lack thereof). Web services that let "anybody" call them and get data that should require auth, etc.
-----Original Message----- From: kurt () shopdecorum com [mailto:kurt () shopdecorum com] Sent: Wednesday, August 16, 2006 14:26 To: Jeff Robertson; webappsec () securityfocus com; websecurity () webappsec org Subject: Re: [WEB SECURITY] "hack-me" Ajax apps? Jeff- I have an AJAX-enabled version of BadStore.net that is basically ready for distribution (awaiting primarily documentation updates). There is an AJAX search function that hits against a MySQL table and returns XML data through CGI::AJAX. The current public version of BadStore.net is v1.2.3 and has basic WebAppSec demo capabilities. The AJAX/Web Services is v2.1.x and I can email you a Beta for review and comment. If you're interested in contributing your coding talents to this open-source project, that would also be encouraged and appreciated! What AJAX hacking capabilities are you looking for??? It should be relatively easy to bake it in, as the infrastructure is already in place. -Kurt PS - BadStore.net is a GNU-licensed open-source demo, training, and evaluation platform for WebAppSec. It's a bootable distro that's distibuted as an .iso image that runs a vulnerable server/app directly or under virtualization (VMWare, Que, etc.) requiring only 128MB memory. BadStore.net is LAMP (Linux Apache MySQL and Perl) and requires no installation - just boot and point a browser at it. When you hack it to death, just reboot and you're back where you started. -----Original Message----- From: "Jeff Robertson" <jeff.robertson () digitalinsight com> Subj: [WEB SECURITY] "hack-me" Ajax apps? Date: Wed Aug 16, 2006 5:13 am Size: 480 bytes To: <webappsec () securityfocus com>,<websecurity () webappsec org> Where could I find hackable, fake, Ajax application? Like webgoat, etc., but all Ajax? If the answer is to "write one", I'm willing, but I'd rather not reinvent any wheels. -------------------------------------------------------------- -------------- The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/ The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire was recently named the worldwide market leader in Web application security assessment tools by both Gartner and IDC. Download a free trial of AppScan today and see why more customers choose AppScan then any other solution. Try it today! https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008VnB --------------------------------------------------------------------------
Current thread:
- RE: [WEB SECURITY] "hack-me" Ajax apps? Jeff Robertson (Aug 16)
- <Possible follow-ups>
- Re: [WEB SECURITY] "hack-me" Ajax apps? kurt (Aug 16)