RE: [WEB SECURITY] "hack-me" Ajax apps?

["Jeff Robertson" <jeff.robertson () digitalinsight com>]

I was thinking mainly of authorization and authentication (or lack
thereof). Web services that let "anybody" call them and get data that
should require auth, etc.

> -----Original Message-----
> From: kurt () shopdecorum com [mailto:kurt () shopdecorum com] 
> Sent: Wednesday, August 16, 2006 14:26
> To: Jeff Robertson; webappsec () securityfocus com; 
> websecurity () webappsec org
> Subject: Re: [WEB SECURITY] "hack-me" Ajax apps?
>
> Jeff-
>
> I have an AJAX-enabled version of BadStore.net that is 
> basically ready for distribution (awaiting primarily 
> documentation updates).  There is an AJAX search function 
> that hits against a MySQL table and returns XML data through 
> CGI::AJAX.
>
> The current public version of BadStore.net is v1.2.3 and has 
> basic WebAppSec demo capabilities.  The AJAX/Web Services is 
> v2.1.x and I can email you a Beta for review and comment.  If 
> you're interested in contributing your coding talents to this 
> open-source project, that would also be encouraged and appreciated!
>
> What AJAX hacking capabilities are you looking for???  It 
> should be relatively easy to bake it in, as the 
> infrastructure is already in place. 
>
> -Kurt
>
> PS - BadStore.net is a GNU-licensed open-source demo, 
> training, and evaluation platform for WebAppSec.  It's a 
> bootable distro that's distibuted as an .iso image that runs 
> a vulnerable server/app directly or under virtualization 
> (VMWare, Que, etc.) requiring only 128MB memory.  
> BadStore.net is LAMP (Linux Apache MySQL and Perl) and 
> requires no installation - just boot and point a browser at 
> it.  When you hack it to death, just reboot and you're back 
> where you started.
> -----Original Message-----
>
> From:  "Jeff Robertson" <jeff.robertson () digitalinsight com>
> Subj:  [WEB SECURITY] "hack-me" Ajax apps?
> Date:  Wed Aug 16, 2006 5:13 am
> Size:  480 bytes
> To:  <webappsec () securityfocus com>,<websecurity () webappsec org>
>
> Where could I find hackable, fake, Ajax application? Like 
> webgoat, etc., but all Ajax?
>
> If the answer is to "write one", I'm willing, but I'd rather 
> not reinvent any wheels.
>
>
> --------------------------------------------------------------
> --------------
> The Web Security Mailing List: 
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire was recently named the worldwide market leader in Web
application security assessment tools by both Gartner and IDC.
Download a free trial of AppScan today and see why more customers choose
AppScan then any other solution. Try it today!

https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008VnB
--------------------------------------------------------------------------