SecProject Web AppSec Challenge – Series 1

There are 5 web application security questions that have been set as a challenge. You will receive points based on your solutions (please see the Pointing System). The deadline for this challenge is end of May 2012.
You can use your twitter ID to be followed by other people who follow this challenge. You can also send me a link to your blog/website/twitter to be linked in the table.
Please send your solutions with the subject: “SecProject Web AppSec Chal1 – Your Name” to sdalilimail-challenge1 [at] yahoo [d0t] com. Please do not send the solutions to any other email address.

Hall of Fame:

There is a direct link to Hall of Fame accessible via Project menu:

[redacted]

Deadline: 1st of June – 24:00 GMT

The rules are as follows:

General Rules:

1- Identical answers will be counted only for the first reporter.
2- Please do not use automated tools on the targets as they can lead to a denial of service for other contestants.
3- Please do not publish your answers till the deadline. Thanks in advance.

XSS Rule(s):

You need to “alert” your name on the screen. You are not allowed to create a new HTML tag.
Note: it is ASP!…

SQL Injection Rule(s):

You need to exploit the provided sample website to: 1- read the admin password and 2- achieve the secret text which means you have reached the forbidden area successfully.
I think you need to take a look at the source code for this one! The database is a MS Access database which makes it more challenging.

Vuln Bank Application Rule(s):

You need to increase your total money to more than 100.
You have the source code (ASP VBScript) to be able to try this vulnerable bank application offline. (“resetall.asp” is just for debugging purposes)

Questions are as follows:

Download links are as follows:

http://Soroush.secproject.com/downloadable/secproject.com-challenge1.zip
http://sdl.me/challenge1/secproject.com-challenge1.zip

XSS1:

Test Target = http://sdl.me/challenge1/xss1/JsChallenge1.asp

XSS2:

Test Target = http://sdl.me/challenge1/xss2/JsChallenge2.asp

XSS3:

Test Target = http://sdl.me/challenge1/xss3/JsChallenge3.asp

SQL Injection:

Test Target = http://sdl.me/challenge1/sqli/

Vuln Bank Application:

Test Target = http://webapsecchall01.brinkster.net/vulnbankapp4543334/ [currently does not work due to the hosting problem – please run it locally for your testing]
Note: A fresh target will be provided for you if you can explain the vulnerability correctly and you want to exploit it.

Goals and Pointing System:

XSS Points (Max 60 Points – Per Each):

Mozilla Firefox 12.0 without NoScript: +5 Points
IE9 Anti-XSS Bypass: +15 Points
Latest Chrome Anti-XSS Bypass: +10 Points
IE9 & Chrome at the same time with 1 link: +5 Points
NoScript Bypass: +25 Points
Note: In order to get the points, you need to send me the link(s) that will lead to an “alert” message by opening it. If you are using any specific encoding/packing that make your inputs unreadable, you need to explain your method briefly. If each link is related to a specific browser, please mention that as well next to it.

Amendment (new): XSS3 now has double points (120 points in total) due to a problem in its implementation which made it extremely hard.

SQL Injection Point (Max 60 Points):

Reading the admin password: 20 Points
Running the code in the critical area of the code and achieving the secret code: 40 Points
Note: In order to get the points, you need to send me the link(s) that can perform the attack along with its explanation.

Virtual Bank Application Point (Max 60 Points):

Correct Explanation: 20 Points
Exploitation on a Custom Website: 40 Points
Note: In order to get the points, please send your explanation in English. If you think it is easier for you to send me a video link for this exploit, you can also add that to your explanation. Please tell me if you want to exploit the vulnerability on a sample link, then I can send you the relevant link if your explanation was correct.

History of These Questions:

This challenge is based on real and interesting issues that I have seen during my web application testing. I thought it can be good to share some of them with you to challenge your skills. The XSS issues came from an issue in Yahoo.com website two years ago which has been fixed now. The SQL Injection issue was inside a popular web application which I cannot announce its name and you may already know it; and the last issue is a general vulnerability of many web applications.
I have added some spice to the questions to make them even more interesting. All of these issues are exploitable (XSS3 has not been tested previously), but you need to be initiative to get more points.

Thanks to: Mario HeiderichBen Sheppard, and Gareth Heyes for their comments on this challenge. As they do not have the answers, they can still attend this challenge!