Hacme Casino User Guide

7/21/2019 IB Hacme Casino User Guide
Foundstone Hacme Casino v1.0™

Strategic Secure Software Training Application
User and Solution Guide
Author: Alex Smolen, Foundstone Professional Services
August 21, 2006
http://slidepdf.com/reader/full/ib-hacme-casino-user-guide 1/31
ntroduction
Foundstone Hacme Casino™ is a learning platform for secure software development and is
targeted at software developers, application penetration testers, software architects, and anyone
with an interest in application security. Hacme Casino is an extensible online casino platform and
demonstrates the security problems that can potentially arise in these applications.
Hacme Casino is built using Ruby on Rails. Ruby on Rails (sometimes called RoR or Rails is an
open!source web application framewor", built entirely in Ruby, which emphasi#es adherence to
the $odel!%iew!Controller($%C architecture and a principle of &R' (&ont Repeat 'ourself.
Hacme Casino utili#es some of the basic and some of the more advanced features of the Ruby on
Rails framewor". )t is meant to be representative of a typical Rails application, using standard
features such as *ctiveRecord. )t also includes functionality which incorporates *+*!style
interaction, which is ba"ed into the Rails framewor", and harnesses the -oginenerator, which is
supplied by the Rails community for creating code to perform authentication in an application.
$any of the vulnerabilities in Hacme Casino cannot be detected automatically / they must be
assessed by operate
applications a humanin.
who has an understanding of the business context online gaming
Hacme Casino is offered with the full source code under the *pache 0oftware Foundation -icense
%ersion 1.2. 3eing fully open!source allows Hacme Casino to be sub4ect to an unbiased peer
review process, which will be used to constantly improve the 5uality and accuracy of the
application.
!isclaimer" Hacme Casino is riddled wit# vulnera$ilities $% design. Use of

Hacme Casino can cause s%stem compromise and Foundstone accepts no
lia$ilit% for an% improper usage of t#is software. &e strongl% advise users
not to use t#e application on production s%stems.
ww w.fo u n d st o n e. c o m © 20 0 6 F o u n d s t o n e , In c . Al l Ri g h t s Res er v e d -2
'verview of Hacme Casino !istri$ution

Hacme Casino is a pure Ruby on Rails web application that is distributed in 1 different formats6
7indows 3inary )nstaller
•
o Complete installation is covered in this document

o &ownload from http688www.foundstone.com8resources8freetools.htm
Full 0ource Code
•
o 9ot covered in this document

o Re5uires installation of several development tools and intermediate Rails s"ills
o &ownload via anonymous C%0 from http688sourceforge.net8pro4ects8foundstone
o 0ee the H:7;: document in the Hacme Casino C%0 folder at sourceforge for
detailed instructions
(rere)uisites
• ;he 7indows 3inary )nstaller only supports $icrosoft 7indows 12228<. =sers of other
operating systems can install Hacme 3oo"s by building the source code.
• ;he 7>3ric" server is distributed with Hacme Casino and runs by default on port ?222.
<lease ensure that no other applications are using this port.
&indows *inar% nstallation
• &ownload the Hacme Casino executable installer from
http688www.foundstone.com8resources8freetools.htm.
o &ouble!clic" on HacmeCasino0etup.exe.
o Figure 1 displays the license text, which is based on the *pache 1.2 -icense. 'ou
must agree to the terms of the license by clic"ing the I Agree button in order to
continue installation.
o Figure 2 displays a security warning from Foundstone regarding Hacme Casino.
Clic" Next if you understand the warning and choose to proceed.
o Figure 3 displays the desired installation folder. 'ou can edit the directory path or
leave
Figure
o
the default
4 is setting.
the last dialog.Clic"
+ustInstall to begin
clic" Close . installation of Hacme Casino.
• :nce installation is complete, you must start the Hacme Casino server (7>3Ric"6
0tart  <rograms  Foundstone Free ;ools  Hacme Casino 0erver 0;*R;
• 7ait until the 7>3ric" server starts (should loo" li"e Figure 5
• ;o view Hacme Casino in Firefox @ (should loo" li"e Figure 66
0tart  <rograms  Foundstone Free ;ools  Hacme 3oo"s
• =ninstalling Hacme 3oo"s is very easy6 there is an uninstall program available from the 0tart
$enu. Hacme 3oo"s may also be uninstalled using the *dd8Remove <rograms Control <anel.
@
Hint6 Foundstone recommends using Firefox or other standards!compliant browsers to view
Hacme Casino, as using )nternet >xplorer causes some display bugs.
Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6
+earning Guide
;here are two fundamental approaches to web application security testing6
• 7hitebox testing (*A* Code Review

! ;he tester has access to source code, configuration files, and the actual
deployed application
• 3lac"box testing (*A* <enetration ;est or <en!test

! ;he tester has access to the applications end!user interface only
7hitebox testing is always going to produce a more accurate result based on the fact that the
source code is available. ;esters are able to review data flows through the application from the
presentation tier all the way through to the data access tier. ;herefore, the results yielded from
whitebox testing are going to be far more precise than the results gathered from blac"box
testing.
For example, if there is a 0B- in4ection vulnerability discovered in 2 different areas of a web
application, a blac"box pen!tester will identify 2 vulnerabilities. However, there may be a single
library that ma"es the database calls, which a whitebox tester can identify as one vulnerability.
)n addition, a whitebox review can reveal vulnerabilities in configuration and integration points.
For instance, Hacme 3oo"s communicates with Hacme 3an" (a similar application written in
*0<.9>; to actually debit a boo" purchasers ban" account. * review of Hacme 3oo"s
configuration files may uncover the location of the Hacme 3an" web services endpoint, which you
might explore for additional vulnerabilities.
Foundstone suggests that anyone with a development bac"ground should perform a code review
first, and then perform the blac"box penetration test that is described in the rest of this
document. ;his will validate the earlier review. ;he source code for Hacme Casino is available
via anonymous C%0 at sourceforge.net8pro4ects8foundstone.
For non!developers, the blac"box test is most appropriate.
For this guide we will focus on the blac"box, or pen!test, approach. ;he code review
methodology is a much more intensive activity that we tac"le in Foundstones 7riting 0ecure
Code classes. For more information about Foundstones 7riting 0ecure Code classes, go to
www.foundstone.com8education.
ww w.fo u n d st o n e. c o m © 20 0 6 F o u n d s t o n e , In c . Al l Ri g h t s Res er v e d -
+esson 1 , *lind S-+ nection

Lesson# 1
Vulnerability 3lind 0B- )n4ection
Exploite
Exploit !esult *uthentication 3ypass
Input Fiel"s =ser name
%tep 1 &
Input
%tep 2 & '! 1(1))
$ata
%tep 3 & '! 1(1))
Figure D
Corresponing
Figure E
Figures"s
Figure 
;ry logging into Hacme Casino with an invalid username or an invalid password. &oesnt wor",
does itG ;hat ma"es sense, because the whole point of the Hacme Casino authentication scheme
is that you need to "now a valid username and the password to get in (or we could 4ust register,
but wheres the fun in thatG. 9otice that when we supply a bad username or password, we get a
pretty generic error message about the login being unsuccessful.
Figure *+ ,eneri- .a Login /essage

ww w.fo u n d st o n e. c o m © 20 0 6 F o u n d s t o n e , In c . Al l Ri g h t s Res er v e d -!
However, as weve seen before in other Hacme applications, sometimes the login form doesnt
validate input that it passes to the database. *nd from that, we can do 0B- in4ection and have
our way with the application. 0ounds fun
-ets try our hallmar" 0B- in4ection detection string, I (single apostrophe, in the username field
(leave the password blan".
Figure 0+ Appli-ation !esponse to &
Hm. 0o we see we got an error that is different than a simple bad login, but we didnt get a
detailed 0B- error message. ;hats not good ;his is "nown as 3lind 0B- in4ection. 7e "now the
0B- in4ection is there because we can cause an error that loo"s different than 4ust a normal bad
login. 7e can infer that this single 5uote is causing the 5uery to fail and the application is
catching the 0B- error. 7e cant immediately find out how to ma"e our in4ection wor" by loo"ing
at the 5uery in the detailed error message in the response. However, what we C*9 try to do is
ma"e the 5uery succeed, with in4ected data. 7e will then be able to exploit the 5uery to perform
our will. 0o, lets try an old standby that wor"s for most login 5ueries, IJ :R JKJ!!.
7e get the exact same error message as Figure E. 0till not wor"ing. 7hat could be wrong hereG
*n attac"er might thin" several things6
ww w.fo u n d st o n e. c o m © 20 0 6 F o u n d s t o n e , In c . Al l Ri g h t s Res er v e d -"
J ) am not properly closing or opening parentheses.

1 ) am 5uerying a database that doesnt consider double dash a comment (e.g. $y0B-
? ;here are R:=< 3', =9):90, or other clauses after the comments that the 5uery
expects.
L 0omething else entirely.
9ot to be defeated, we test our first hypothesis by adding a right parentheses after the single
5uote.
Figure + Appli-ation !esponse to  '! 1(1))
)t wor"ed 7ere in with the *ndy *ces user profile. 0o what happenedG
)n the bac"end, the 5uery must have loo"ed li"e
0>->C; @ FR:$ users 7H>R> (usernameKMusernameN *9& passwordKMpasswordN
9ote the parentheses. ;hey arent necessary, but sometimes developers leave them in for clarity
in grouping li"e clauses.
7ith our malicious input, the 5uery became6
0>->C; @ FR:$ users 7H>R> (usernameK :R JKJO*9& passwordK
;his 5uery returns the first user, which is *ndy.
ww w.fo u n d st o n e. c o m © 20 0 6 F o u n d s t o n e , In c . A l l R i g h t s Res er v e d - #0
3lind 0B- in4ection can be tric"y to exploit if the 5uery is complicated. 'ou may need to reopen
the parentheses, such as in the case of trailing =9):90 which must be evaluated, to get the
5uery to execute. <lenty of documentation exists on 3lind 0B- in4ection, even some automated
tools can help out in exploiting these problems and retrieving entire database contents from
simples holes such as this.
ww w.fo u n d st o n e. c o m © 20 0 6 F o u n d s t o n e , In c . A l l R i g h t s Res er v e d - ##
+esson / , *ig (#is# to Fr%

Lesson# 2
Vulnerability Cross!0ite Re5uest Forgery
Exploite
Exploit !esult $ore Chips
Input Fiel"s =R-
http688localhost6?2228account8transferPchipsGtransferKJ222Qlogin
Input $ata
3&KandyPacesQcommitK;ransferSChips
Corresponing Figure J2!Figure JT
Figures"s
9ow that we have access to a valid account, we want to get some money so that we can start
gambling. 9ow, we could actually withdraw from our ban" account @, but that would cost us dear
precious dollars )nstead, lets try to use phishing tactics to get users to get other users to give
money to us.
Clic" on the :ptions lin" in the left sidebar. 'ou should see the screen below.
Figure 1+ %oing te 'ptions %-reen
9otice that there is a functionality to transfer chips to a user. ;his seems awfully generous 7hat
if we could entice users to clic" on a lin" that would cause them execute this functionality
un"nowinglyG
-ets loo" at how the transfer chips function wor"s by examining the H;$- source in the figure
below.
Figure 11+ %oing te 7/L sour-e o8 te F'!/
;he H;$- form shows that the action is 8account8transferPchips. ;here are also two arguments,
transfer and loginUV.
-ets get a better idea of how it wor"s by running the traffic through <aros, an http proxy. For a
detailed description of how to use the <aros <roxy, go to http688www.parosproxy.org.
-ets try to transfer 2 dollars to 3obby 3lac"4ac" using the web interface and intercept the traffic.
Figure 12+ %o te tra88i- running troug 9aros
7e can see here that the application is sending the transfer parameter with the amount and the
login argument =R-. -ets add these two parameters to our =R- to ma"e a >; re5uest which
performs the same action.
ttp+::lo-alost+3:a--ount:trans8er;-ips<trans8er(=login>?(bobby;bla-@a-@
=-oBBit(7rans8erCips
Figure 13
;his results in an error (we cant send a non!positive number of chips. However, perhaps
instead of transferring 2 dollars to bobby, lets transfer WJ222 dollars to ourselves 7e will
change the =R- parameters appropriately6
http688localhost6?2228account8transferPchipsGtransferKJ222QloginUVKandyPacesQcommitK;ransf
erSChips
9ow when we clic" on this, we will try to transfer WJ222 dollars to ourselves. ;his results in the
same error message as Figure JL, because we dont have enough chips. ;hats not too
interesting. )nstead, we will email this lin" to other users for them to clic" on. -ets see what
would happen if we sent this lin" to 3obby 3lac"4ac" and he clic"ed it while logged into Hacme
Casino.
-og out of Hacme Casino by using the -og :ut lin" in the left hand side bar. -og in using the
username6 bobbyPblac"4ac" and the password6 twentyPone. 'ou should see the following screen.
9otice 3obby has J2,222 chips.
Figure 14+ .obby .la-@a-@ oBe 9age
*s 3obby, try clic"ing the lin" above that donates J222 chips to *ndy *ces. 'ou should see the
screen below.
Figure 15
9otice the chip count has been decremented. )f we go and log bac" into our andyPaces account
(using 0B- in4ection of course, we now have some real money to play with
Figure 16
;he reason why this is a security issue because we can simply send the lin" to several users
(bobbyPblac"4ac" included and wait for them to clic" the lin" while logged in to Hacme Casino.
;hat way, we dont need to "now their credentials or log in as them.
<hishers use techni5ues such as these to cause unsuspecting users to perform actions without
being aware of it. 7e could send our lin" to several users (provided we "now their email
addresses with a bogus message about winning a pri#e. ;he lin" appears to come from the
Hacme Casino domain (even 00- would attest to this. )f they clic" on the lin" while they are
logged in to HacmeCasino, they give us their chips 7e can sit bac" and watch the chips roll in
ww w.fo u n d st o n e. c o m © 20 0 6 F o u n d s t o n e , In c . A l l R i g h t s Res er v e d - #
+esson   2now &#en to &al3 Awa%

Lesson# 3
Vulnerability )mproper session handling
Exploite
Exploit !esult Cheat ame8)mprove :dds
Input Fiel"s -ogout
9one
Input $ata
Corresponing Figure JD
Figures"s Figure JE
9ow were in, and weve got some playing money. 7e could go and gamble it all away, but being
security!conscious, we dont li"e to ta"e unnecessary ris"s. )nstead, lets see if there are any
ways to improve our odds at the table.
7ell try to find problems with the betting protocol. )n the lobby, clic" on the blac"4ac" game.
'ou should see the screen below6
Figure 1*+ .la-@a-@ ,aBe
o ahead and try a couple of rounds, but dont lose all of your money 7e "now that blac"4ac"
gives an edge to the casinoX lets see if we cant do better.
)n a casino, once you place a bet, that money is gone until the game outcome is resolved. )f we
pay attention to our chip total and betting amount, we can see that the amount of the bet is not
ww w.fo u n d st o n e. c o m © 20 0 6 F o u n d s t o n e , In c . A l l R i g h t s Res er v e d - #!
credited or debited until the game is over. ;hat means as long as the game doesnt end, we dont
lose our bet
-ets cut our losses. &eal a few hands until you get a hand you dont li"e ! J1!JT will do nicely.
9ow, instead of feebly hitting and busting, note your chip total and clic" the lobby lin" in the
sidebar. 0ee the figure below6
Figure 10+ %-reen sot o8 logging out o8 te appli-ation Bi)gaBe
-ets see if it wor"ed / go bac" to the blac"4ac" game and see if your chip total has decreased. )t
shouldnt of, and you are free to bet again.
9ow you can really reduce your ris" by getting rid of bad hands. ;his means you can 5uit your
4ob and turn in to a full!time online blac"4ac" player, at least until this hole is fixed
:ne important thing to note here is that as a hac"er, you cant get caught up trying to use the
same hac"s time and time again. Creativity is "ey, and each application has its own uni5ue ways
of being exploited.
ww w.fo u n d st o n e. c o m © 20 0 6 F o u n d s t o n e , In c . A l l R i g h t s Res er v e d - #"
+esson 4  5ll Sta%6 Again

Lesson# 4
Vulnerability *pplication -ogic %ulnerability
Exploite
Exploit !esult Cheat ame
http688localhost6?2228blac"4ac"8hitPorPstayGactK0
Input $ata
Figure J
Corresponing
Figure 12
Figures"s
Figure 1J
:ne of the most noticeable things about *+* applications li"e HacmeCasino is that they are
more responsive to user input than traditional web applications. ;his is primarily because
$-HttpRe5uest ob4ects are being spawned in the bac"ground of the application, which update
only the portion of the page that needs updating. -oo" at the login form for Hacme Casino6 it
creates a separate re5uest if you select YRegisterZ that updates only the small section of the
screen. ;his occurs via *+*, although it doesnt have toX plain old 4avascript would suffice here
because there is no dynamic content. 3ut wheres the fun in thatG
*+* applications often use mlHttpRe5uests when regular 7eb J.2!style interactions would do.
;his can expose some sensitive areas of functionality. -ets loo" for examples of this that might
be security vulnerabilities.
-ets go to our blac"4ac" game. <lay a few hands until you win. 7inning feels good, doesnt itG )
wish the feeling never went away. 7hat would it be li"e if we could 4ust "eep on re!living that
momentG
;a"e a loo" more deeply into how blac"4ac" wor"s6 first, we ma"e a bet. )n the bac"ground an
*+* bet re5uest occurs. ;his is shown, as intercepted by <aros, in the figure below.
Figure 1+ %o tra88i- 8or betting
ww w.fo u n d st o n e. c o m © 20 0 6 F o u n d s t o n e , In c . A l l R i g h t s Res er v e d - 20
;hen, we ma"e *+* hitPorPstay re5uest with the action parameter e5ual to hit until we are
close to 1J. 0ee figure below.
Figure 2+ %-reen sot 8or tra88i- 8or it;or;stay
*ssuming we continue to hit and we dont bust, our next *+* re5uest to the server is
hitPorPstay with the action parameter e5ual to stay.
Figure 21+ %-reen sot 8or tra88i- 8or it;or;stay
;he server then deals the dealer cards, calculates the winner, pays out and collects, and then
as"s if we want to play again.
;he last *+* re5uest is interesting, though, because it sets off a series of events on the server
that determine the payout. 7hat if we were to issue that *+* re5uest againG
;urns out, this causes the server to recalculate the winner and repay the winnings. 0o if we have
4ust won, we can win again by replaying the stay re5uest
ww w.fo u n d st o n e. c o m © 20 0 6 F o u n d s t o n e , In c . A l l R i g h t s Res er v e d - 2#
-ets try it outX play a hand until you win. 9ow cause the traffic shown in Figure 11 to replayX
typing this =R-6 (http688localhost6?2228blac"4ac"8hitPorPstayGactK0 should do the tric". 9otice
that this causes only part of the blac"4ac" game to render, because that *+* re5uest was only
updating a small portion of our page. :ur chips "eep going up, because the server thin"s we
"eep on winning, even though its the same game.
9ote that this attac" isnt *+* specificX its 4ust something that is more li"ely to be in an *+*
application. )n typical web applications, 4ust loo"ing in the =R- bar or an inadvertent hit of the
bac" button will reveal these types of issues. 7ith *+*, it happens it the bac"ground, and is a
bit more subtle. Remember, 4ust because the re5uest endpoint isnt directly lin"ed from the page,
its still accessible.
9ot too bad[ thats more than enough chips to set sail to the 3ahamas next month. 3ut, 4ust for
fun, lets chec" out video po"er too.
+esson 7  Snoop t#e !ec3

Lesson# 5
Vulnerability &etailed >rror $essages
Exploite
Exploit !esult Cheat ame
http688localhost6?2228videoPpo"er8testPdeucesPwild
Input $ata
Corresponing Figure 11!Figure 1T
Figures"s
%ideo po"er is a great game. )t combines the ease of slots with the decision ma"ing of po"er.
o bac" to the lobby, and browse to %ideo <o"er.
Figure 22
*fter playing a few rounds, you might notice that %ideo <o"er doesnt give us very good odds.
7hat might help us here is if we could predict which cards were coming next. However, if we
were to loo" at the cards we were dealt for a long time, we probably wouldnt notice any
predictable patterns, as the cards are shuffled randomly and regularly. 0o lets see if we can Ytilt
the machineZ to get some additional help.
:ne thing to note is that Ruby on Rails is based on routing. 7hen you call videoPpo"er8show,
you are really re5uesting the YshowZ method of the YvideoPpo"erPcontrollerZ method to be
called. ;his is all tied together via the Rails framewor". *n interesting thing here is that Rails
performs all this auto!magicallyX even if you dont have any H;$- lin"s to a method in your
controller, ) may still be able to call it if ) can guess the name.
Ruby on Rails encourages test!driven development. :ften times, left!behind test code can be a
hac"ers delight, giving access to resources unintentionally.
First, go to the lobby, and select %ideo <o"er. <lay a few hands to get the idea behind it. :nce
again, ma"e sure to save some money so that we can cheat[ahem[improve our odds later.
9ow, lets try to find are any test methods in the videoPpo"erPcontroller. 7e cant see what these
are from the client!side, so well have to guess.
;ry6
http688localhost6?2228videoPpo"er8test
http688localhost6?2228videoPpo"er8testPvideoPpo"er
http688localhost6?2228videoPpo"er8testPhand
[
http688localhost6?2228videoPpo"er8testPdeucesPwild
7ait a second, what was that last oneG 7e found an opening 7e *R> feeling luc"y. ;his may
seem unrealisticX however, this entire process of finding un!advertised methods in controllers
could be automated.
7hat was the response to the re5uest to this unadvertised methodG
Figure 23+ %-reen sot o8 error Bessage
=h oh, someone forgot to turn their detailed error messages off -ets loo" for goodies. First, go
bac" to video po"er and ma"e a bet.
Figure 24+ 'ur an
;hen, enter the =R- that causes the verbose error message (in a separate browser tab to avoid
losing this session. -oo" at the session dump tree (note6 your session will loo" different,
because the dec" and hand are in a different state6
Figure 25+ %ession $uBp 7ree
Hm, loo"ing at this data, we can see whats in our hand (user!Nhand!Ncards, and whats in the
dec" (vpgame!Ndealer!Ndec" 7ere not 5uite sure what the integer codes for suit and ran"
mean, though. -ets do some analysis.
-oo" at what the session says is in our hand6

0uit *ctual 0uit Ran" *ctual Ran"
Card :ne J &  +
Card ;wo J & E J2
Card ;hree ? C JJ A
Card Four J & L T
Card Five 1 H J1 *
+udging from this, it loo"s li"e the following encoding is occurring6
0uit
Code *ctual %alue
2 0pades
J &iamonds
1 Hearts
? Clubs
Ran"
ww w.fo u n d st o n e. c o m © 20 0 6 F o u n d s t o n e , In c . A l l R i g h t s Res er v e d - 2
Code *ctual %alue

2 1
J ?
1 L
? 
L T
 D
T E
D 
E J2
 +
J2 B
JJ A
J1 *
Anowing this, we can figure out the next five cards in the dec" (at the bottom. ;hey are6
9ext Card J6 (E,1 !N J2 of Hearts
9ext Card 16 (D,J !N  of &iamonds
9ext Card ?6 (L,1 !N T of Hearts
9ext Card L6 (,? !N D of Clubs
9ext Card 6 (,1 !N D of Hearts
)f we were to only "eep the six and the ten in our hand, we would get two pair. o bac" to the
game and try it (although ad4usting for your specific hand8dec".
Figure 26
ww w.fo u n d st o n e. c o m © 20 0 6 F o u n d s t o n e , In c . A l l R i g h t s Res er v e d - 2!
*nd there we are. 7hat an impossibly good decision -ets also note that this could be "ind of
attac" could be automated to speed up our results.
0ometimes this hac" will help, such as in the case above, and sometimes it wont because there
may be no way to get a winning hand.
:ne thing to note is that Ruby on Rails by default has a very verbose error message in debug
mode. )n production mode, this "ind of information is limited. 3ut it wouldnt surprise most
hac"ers to find a debug system in production
;hats it, weve had enough[.lets cash out. :nce you have made J22,222 chips with , cash out
to your special account, number JJJ!JJJJ!JJJ (this re5uires a bit of hac"ing using a proxy. 'ou
will see a special message letting you "now youve won
ww w.fo u n d st o n e. c o m © 20 0 6 F o u n d s t o n e , In c . A l l R i g h t s Res er v e d - 2"
A$out Foundstone (rofessional Services
Foundstone <rofessional 0ervices, a division of $c*fee, offers a uni5ue combination of services

and education to help organi#ations continuously and measurably protect the most important
assets from the most critical threats. ;hrough a strategic approach to security, Foundstone
identifies, recommends, and implements the right balance of technology, people, and process to
manage digital ris" and leverage security investments more effectively.
Foundstones 0trategic 0ecure 0oftware )nitiative (0?i™ services help organi#ations design and
engineer secure software. 3y building in security throughout the 0oftware &evelopment -ifecycle,
organi#ations can significantly reduce their ris" of malicious attac"s and minimi#e costly
remediation efforts. 0ervices include6
• 0ource Code *udits

• 0oftware &esign and *rchitecture Reviews
• ;hreat $odeling
• 7eb *pplication <enetration ;esting
•
0oftware 0ecurity $etrics and $easurement

For more information about Foundstone 0?i services, go to www.foundstone.com8s?i.
Foundstone 0?i training is designed to teach programmers and application developers how to
build secure software and to write secure code. Classes include6
• 3uilding
0ecure 0oftware
• 7riting
0ecure Code / +ava (+1>>
• 7riting
0ecure Code / *0<.9>; (C\
• =ltimate
7eb Hac"ing
For the latest course schedule, go to www.foundstone.com8education.
Ac3nowledgements
$any individuals at Foundstone contributed to the development and testing of Hacme Casino and
the production of this whitepaper. *lex 0molen was the primary contributor and author of
Hacme Casino J.2. )n addition, the rest of the YconZ group helped review the pro4ect and
prepare it for release. ;han"s guys

Hacme Casino User Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Hacme Casino User Guide

Uploaded by

Copyright:

Available Formats

7/21/2019 IB Hacme Casino User Guide

Foundstone Hacme Casino v1.0™

User and Solution Guide

Author: Alex Smolen, Foundstone Professional Services

August 21, 2006

!isclaimer" Hacme Casino is riddled wit# vulnera$ilities $% design. Use of

not to use t#e application on production s%stems.

'verview of Hacme Casino !istri$ution

o Complete installation is covered in this document

o 9ot covered in this document

• 7hitebox testing (*A* Code Review

• 3lac"box testing (*A* <enetration ;est or <en!test

For non!developers, the blac"box test is most appropriate.

+esson 1 , *lind S-+ nection

Figure *+ ,eneri- .a Login /essage

Figure 0+ Appli-ation !esponse to &

ww w.fo u n d st o n e. c o m © 20 0 6 F o u n d s t o n e , In c . Al l Ri g h t s Res er v e d -"

J ) am not properly closing or opening parentheses.

Figure + Appli-ation !esponse to  '! 1(1))

)n the bac"end, the 5uery must have loo"ed li"e

0>->C; @ FR:$ users 7H>R> (usernameKMusernameN *9& passwordKMpasswordN

7ith our malicious input, the 5uery became6

0>->C; @ FR:$ users 7H>R> (usernameK :R JKJO*9& passwordK

;his 5uery returns the first user, which is *ndy.

+esson / , *ig (#is# to Fr%

Figure 1+ %oing te 'ptions %-reen

Figure 11+ %oing te 7/L sour-e o8 te F'!/

Figure 12+ %o te tra88i- running troug 9aros

Figure 14+ .obby .la-@a-@ oBe 9age

+esson   2now &#en to &al3 Awa%

Figure 1*+ .la-@a-@ ,aBe

Figure 10+ %-reen sot o8 logging out o8 te appli-ation Bi)gaBe

ww w.fo u n d st o n e. c o m © 20 0 6 F o u n d s t o n e , In c . A l l R i g h t s Res er v e d - #"

+esson 4  5ll Sta%6 Again

Figure 1+ %o tra88i- 8or betting

Figure 2+ %-reen sot 8or tra88i- 8or it;or;stay

Figure 21+ %-reen sot 8or tra88i- 8or it;or;stay

+esson 7  Snoop t#e !ec3

7hat was the response to the re5uest to this unadvertised methodG

Figure 23+ %-reen sot o8 error Bessage

Figure 24+ 'ur an

Figure 25+ %ession $uBp 7ree

-oo" at what the session says is in our hand6

+udging from this, it loo"s li"e the following encoding is occurring6

Code *ctual %alue

ww w.fo u n d st o n e. c o m © 20 0 6 F o u n d s t o n e , In c . A l l R i g h t s Res er v e d - 2"

A$out Foundstone (rofessional Services

Foundstone <rofessional 0ervices, a division of $c*fee, offers a uni5ue combination of services

• 0ource Code *udits

0oftware 0ecurity $etrics and $easurement

For the latest course schedule, go to www.foundstone.com8education.

You might also like

• 7hitebox testing (A Code Review

• 3lac"box testing (A <enetration ;est or <en!test