I am looking for a very insecure ASP.NET application. Ideally i'm looking for an application that was written by a noob who has made a lot of security mistakes. If the app has a MS-SQL back-end that would be a bonus. I know of two cool projects for PHP and J2EE which fill my needs. Do you know anything like this for ASP.NET?
+1
A:
I know one... there's a business near where I live, and I refuse to join their loyalty program because I accidentally stumbled across a SQL injection vulnerability on their site. I can't tell you who it is though, because they're a real business and I'm sure they don't want your students to hack them.
Why not write your own? Maybe start a codeplex project called LearnSecurity, which has a combination of pages - some which use bad security practices and some which don't.
Rob Farley
2010-01-28 00:43:17
Well said. My guess his main intent is to demonstrate the weakness of ASP.NET. While writing a vulnerable app in ASP.NET is easy, it not easy to write a good one that demonstrates the weakness of ASP.NET and other Microsoft technologies.
Jay Zeng
2010-01-28 00:57:30
"My guess his main intent is to demonstrate the weakness of ASP.NET." -- you mean the weakness of any web application created by an inexperienced or otherwise inept developer.
StingyJack
2010-03-11 19:37:43
A:
Yes, as Rob suggested ... you could make a couple of pages ... on the first get the input from a field and execute it against the database :) On the second, just get some text from the db that contains javascript alert or something and render it directly on the page :) Just an idea ...
Petar Kabashki
2010-01-28 00:50:27
+6
A:
Hacme Bank is a pretty good example from Foundstone of what not to do. It's an older example, written in .NET 1.1 against SQL 2000, but covers most of the common vulnerabilities found in web applications.
bcwood
2010-01-28 00:56:03