Saturday, August 9, 2008

Additional Security Issues: Hacme Casino

Hacme Casino from Foundstone is a well known vulnerable web application from the Hacme series used as a learning platform for secure software development. It is accompanied with a solution guide that demonstrates security issues in the application.

During my own usage – for self-learning, developer group trainings and security group demonstrations I have discovered a few more vulnerabilities that I am sharing here for the benefit of those who wish to get more out of Hacme Casino.

1. Vulnerability Exploited: Insecure Direct Object Reference

For vulnerability description refer here.

As seen in the screenshot below, it is possible to download potentially any file from the web server's file system without authentication by guessing and directly referencing it's path. Here we have downloaded boot.ini which is arguably not sensitive. Nevertheless sensitive files can be potentially downloaded as well.



2. Vulnerability Exploited: Session Fixation

For information on Session Fixation refer here. Following steps confirm the vulnerability.

Step 1: Login with a fixed session ID as seen in the Paros proxy screenshot.

Step 2: Check the trapped response from Paros. As we see the session ID is same as what we fixed.


Step 3: This step is not really required but just for a double check. Let's access the OPTIONS link. The trapped session ID in Paros is definitely the one that we fixed as seen. The next screenshot confirms indeed it was possible to access OPTIONS with this session ID.



3. Vulnerability Exploited: Cross Site Request Forgery


For vulnerability description refer here. Below are additional functions that are vulnerable to CSRF. The exploitation method is same as described in Hacme Casino guide.

http://localhost:3000/account/cash_out
http://localhost:3000/account/update_options
http://localhost:3000/blackjack/bet
http://localhost:3000/video_poker/bet