[Owasp-o2-platform] O2 intro

dinis cruz dinis.cruz at owasp.org
Wed Jun 1 08:19:26 EDT 2011


Hi Bruno, no worries about being confused, O2 is VERY confusing for new
users :)

On HacmeBank have you seen the O2 Scripts that automate a number of its
exploits?

Here are a couple pointers for you to start:

   - Main O2 page for hacmeBank: http://o2-ounceopen.com/wiki/HacmeBank
   - The opensource version is here:
   http://code.google.com/p/owasp-hacmebank/
   - O2 Scripts on HacmeBank
      -
      http://code.google.com/p/o2platform/source/browse/trunk/#trunk%2FO2_Scripts%2F_Sample_Vulnerabilities%2FHacmeBank
   - O2 BlackBox Analysis
      - API with core HacmeBank functionality:
      http://code.google.com/p/o2platform/source/browse/trunk/O2_Scripts/_Sample_Vulnerabilities/HacmeBank/API_HacmeBank.cs
      -
      http://o2-ounceopen.com/wiki/HacmeBank%5CUnit_Tests_for_Vulnerabilities
      -
      http://code.google.com/p/o2platform/source/browse/trunk/O2_Scripts/_Sample_Vulnerabilities/HacmeBank/HacmeBank_BlackBox_Exploits.cs.o2see
here the video of this in action
      http://www.youtube.com/watch?v=T2XVufhJLig&NR=1
      - Here is a video on the current script that starts the local web
      servers: http://www.youtube.com/watch?v=vucYncGiClE&feature=related
   - O2 WhiteBox/Source-Code Analysis
      -
      http://o2-ounceopen.com/wiki/O2_.NET_AST_Scanner_-_HacmeBank_-_SQL_Injection_PoCwith
explanation here
      http://diniscruz.blogspot.com/2010/05/major-o2-milestone-complete.html.
Also using this script is this BlackBox and whiteBox Poc of HacmeBank
SQL
      injection vulnerability:
      http://www.youtube.com/watch?v=MdObVD53Iyg&feature=related
      - http://o2-ounceopen.com/wiki/O2_.NET_AST_Scanner_-_HacmeBank_Example
   - I also started writing an installer script for
HacmeBank<http://code.google.com/p/o2platform/source/browse/trunk/O2_Scripts/3rdParty_Tools/_Installers/HacmeBank.cs>which
I have not completed (see if you can complete it)

Other resources:

   - Nice video on how to exploit HacmeBank WebServices using SoapUI:
   http://www.youtube.com/watch?v=KftIvpRk7oQ

For more ideas on where to start on O2 see
http://diniscruz.blogspot.com/2010/07/o2-platform-ideas-on-where-to-start.html

Finally here is a exercise for you:

"...reuse this HacmeBank IE Automation script

        public API_HacmeBank login(string userName, string password)
        {
                loginPage();
                        ie.field("txtUserName").value(userName);
                        ie.field("txtPassword").value(password);
                        ie.button("Submit").click();
                        return this;
        }

   on this script (instead of the Altoro SQLi)


http://code.google.com/p/o2platform/source/browse/trunk/O2_Scripts/_Sample_Vulnerabilities/Altoro/PoC%20-%20SQLi%20Vulns%20via%20FuzzDb%20with%20Screenshots.h2


(the SQLi script above will fuzz the login sequence and take a screenshot
after each request
..."

Note that the scripts above are the ones that you will find on your local
C:\O2\O2Scripts_Database\_Scripts folder

Dinis Cruz

Blog: http://diniscruz.blogspot.com
Twitter: http://twitter.com/DinisCruz
Web: http://www.owasp.org/index.php/O2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20110601/c9c0a157/attachment.html 


More information about the Owasp-o2-platform mailing list