Using O2 to exploit HacmeBank

Just posted this to the o2 mailing list:

Hi ..., no worries about being confused, O2 is VERY confusing for new users :)

On HacmeBank have you seen the O2 Scripts that automate a number of its exploits?

Here are a couple pointers for you to start:

• Main O2 page for hacmeBank: http://o2-ounceopen.com/wiki/HacmeBank
• The opensource version is here: http://code.google.com/p/owasp-hacmebank/
• O2 Scripts on HacmeBank
• http://code.google.com/p/o2platform/source/browse/trunk/#trunk%2FO2_Scripts%2F_Sample_Vulnerabilities%2FHacmeBank
• O2 BlackBox Analysis
• API with core HacmeBank functionality: http://code.google.com/p/o2platform/source/browse/trunk/O2_Scripts/_Sample_Vulnerabilities/HacmeBank/API_HacmeBank.cs
• http://o2-ounceopen.com/wiki/HacmeBank%5CUnit_Tests_for_Vulnerabilities
• http://code.google.com/p/o2platform/source/browse/trunk/O2_Scripts/_Sample_Vulnerabilities/HacmeBank/HacmeBank_BlackBox_Exploits.cs.o2see here the video of this in action http://www.youtube.com/watch?v=T2XVufhJLig&NR=1
• Here is a video on the current script that starts the local web servers: http://www.youtube.com/watch?v=vucYncGiClE&feature=related
• O2 WhiteBox/Source-Code Analysis
• http://o2-ounceopen.com/wiki/O2_.NET_AST_Scanner_-_HacmeBank_-_SQL_Injection_PoC with explanation here http://diniscruz.blogspot.com/2010/05/major-o2-milestone-complete.html . Also using this script is this BlackBox and whiteBox Poc of HacmeBank SQL injection vulnerability: http://www.youtube.com/watch?v=MdObVD53Iyg&feature=related
• http://o2-ounceopen.com/wiki/O2_.NET_AST_Scanner_-_HacmeBank_Example
• I also started writing an installer script for HacmeBank which I have not completed (see if you can complete it)

Other resources:

• Nice video on how to exploit HacmeBank WebServices using SoapUI: http://www.youtube.com/watch?v=KftIvpRk7oQ

For more ideas on where to start on O2 see http://diniscruz.blogspot.com/2010/07/o2-platform-ideas-on-where-to-start.html

Finally here is a exercise for you:

"...reuse this HacmeBank IE Automation script

public API_HacmeBank login(string userName, string password)

{

loginPage();

ie.field("txtUserName").value(userName);

ie.field("txtPassword").value(password);

ie.button("Submit").click();

return this;

}

on this script (instead of the Altoro SQLi)

http://code.google.com/p/o2platform/source/browse/trunk/O2_Scripts/_Sample_Vulnerabilities/Altoro/PoC%20-%20SQLi%20Vulns%20via%20FuzzDb%20with%20Screenshots.h2

(the SQLi script above will fuzz the login sequence and take a screenshot after each request
..."

Note that the scripts above are the ones that you will find on your local C:\O2\O2Scripts_Database\_Scripts folder