If you are trying to use O2, I strongly recommend that you read it since it shows nice step-by-step instructions on how to use O2 to login to HacmeBank.
What is even more interesting is that Michael, didn't actually use the HacmeBank scripts that already exist in O2 :)
And there is a LOT that can be done with O2 and Hacmebank:
- If you look in the HacmeBank folder from the locally cloned O2.Platform.Scripts repository, you will find:
- API_HacmeBank.cs - First pass at creating an API with the IE automation methods (for example login). This file also contains the scripts that were used to create the GUI you can see in this video: Demo Script - HacmeBank Full PoC.
- with this API you can login as a user with just: new API_HacmeBank().login()
- HacmeBank_BlackBox_Exploits.cs.o2 - This is a mix of an API and Execution GUI (in fact this API is better than the one above). You can see this Script in action in this video: HacmeBank - exploit's execution gui. This API is a good example of the type of evolution that happens after a couple generations of Michael's original script (note that these are setup as NUnit tests but the Asserts are missing):
- launch_HacmeBank
- open_HacmeBank_login_page
- login_Fail
- login_as_JV
- vulnerability_Sql_Injection_in_Login_page
- vulnerability_Autorization_Bypass_in_Login_page
- vulnerability_Authentication_Failure_in_Accounts_Details_page
- vulnerability_Sensitive_Information_Disclosure_in_Admin_Section
- vulnerability_Autorization_Failure_on_Admin_Controls
- Map HacmeBank Ascx EntryPoints.h2 - This is a very important script which uses O2 Static Analysis engine to create a Findings file with the mapping between the URLs and the ascx classes used (this is the 'missing link' between static and dynamic analysis). Without this script it is impossible to create the 'Full Trace' shown below
- Wizard - Start HacmeBank.cs.o2 - This is a Wizard that can be used to start both website and webservices. This is a bit out of date, since these days I tend to use the script from HacmeBank_BlackBox_Exploits.cs.o2
- HacmeBank - Custom O2 AST Security Scanner.h2 - This is a first pass at creating a customer scanner for HacmeBank. Note that to run this you will need to previously have created the MethodStreams for the HacmeBank source code (that is a topic for another post)
- HacmeBank_FullPoc.h2 - this script which you can see it in action in this video) represents what we need to give developers when showing a particular vulnerability (and also shows the type of GUIs and automation that can be created with O2). Basically what you have in there is a BlackBox Animation followed by WhiteBox animation of its vulnerability
- see Major O2 Milestone: 'Complete Vulnerability Trace' for an HacmeBank Sql Injection vulnerability for a couple more details
- In the O2 Blog there are a number of HacmeBank related posts:
- O2 .NET AST Scanner – HacmeBank – SQL Injection PoC
- HacmeBank – Unit Tests for Vulnerabilities
- O2 .NET AST Scanner - HacmeBank Example (in O2 wiki which need to be converted into the Blog)
- HacmeBank related videos:
- HacmeBank - exploit's execution gui
- O2 Video - Demo Script - HacmeBank Full PoC
- HacmeBank - wizard to start server
- Using the O2 .NET Ast Engine
- More videos here like for example O2 Platform - XSS PoC builder
- More posts with some more details and ideas:
