'RE: [WEB SECURITY] "hack-me" Ajax apps?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       websecurity
Subject:    RE: [WEB SECURITY] "hack-me" Ajax apps?
From:       "Jeff Robertson" <jeff.robertson () digitalinsight ! com>
Date:       2006-08-16 18:20:07
Message-ID: BA71243C5785D045B0C9C2CB926FDB10019C3104 () ATLEXM01 ! corp ! ad ! diginsite ! com
[Download RAW message or body]

I was thinking mainly of authorization and authentication (or lack
thereof). Web services that let "anybody" call them and get data that
should require auth, etc.

> -----Original Message-----
> From: kurt@xxxxxxxxxxxxxxx [mailto:kurt@xxxxxxxxxxxxxxx] 
> Sent: Wednesday, August 16, 2006 14:26
> To: Jeff Robertson; webappsec@xxxxxxxxxxxxxxxxx; 
> websecurity@xxxxxxxxxxxxx
> Subject: Re: [WEB SECURITY] "hack-me" Ajax apps?
> 
> Jeff-
> 
> I have an AJAX-enabled version of BadStore.net that is 
> basically ready for distribution (awaiting primarily 
> documentation updates).  There is an AJAX search function 
> that hits against a MySQL table and returns XML data through 
> CGI::AJAX.
> 
> The current public version of BadStore.net is v1.2.3 and has 
> basic WebAppSec demo capabilities.  The AJAX/Web Services is 
> v2.1.x and I can email you a Beta for review and comment.  If 
> you're interested in contributing your coding talents to this 
> open-source project, that would also be encouraged and appreciated!
> 
> What AJAX hacking capabilities are you looking for???  It 
> should be relatively easy to bake it in, as the 
> infrastructure is already in place. 
> 
> -Kurt
> 
> PS - BadStore.net is a GNU-licensed open-source demo, 
> training, and evaluation platform for WebAppSec.  It's a 
> bootable distro that's distibuted as an .iso image that runs 
> a vulnerable server/app directly or under virtualization 
> (VMWare, Que, etc.) requiring only 128MB memory.  
> BadStore.net is LAMP (Linux Apache MySQL and Perl) and 
> requires no installation - just boot and point a browser at 
> it.  When you hack it to death, just reboot and you're back 
> where you started.
> -----Original Message-----
> 
> From:  "Jeff Robertson" <jeff.robertson@xxxxxxxxxxxxxxxxxx>
> Subj:  [WEB SECURITY] "hack-me" Ajax apps?
> Date:  Wed Aug 16, 2006 5:13 am
> Size:  480 bytes
> To:  <webappsec@xxxxxxxxxxxxxxxxx>,<websecurity@xxxxxxxxxxxxx>
> 
> Where could I find hackable, fake, Ajax application? Like 
> webgoat, etc., but all Ajax?
> 
> If the answer is to "write one", I'm willing, but I'd rather 
> not reinvent any wheels.
> 
> 
> --------------------------------------------------------------
> --------------
> The Web Security Mailing List: 
> http://www.webappsec.org/lists/websecurity/
> 
> The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 
> 
> 
> 

----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic