Wouldn't it be great if you could beat the dealer every time you played a hand of Blackjack? Foundstone's Hacme Casino shows you how that could happen if you came across an insecure online casino Web site.
The newest addition to the Foundstone collection of free tools, Hacme Casino is an online casino that has several security vulnerabilities baked in. Built with Ruby on Rails and with plenty of Ajax functionality, the tool is meant to help educate developers and testers about Web application security in the context of new technologies.
"Hacme Casino shows some of the threats that online gaming applications face," said Alex Smolen, Hacme Casino author and consultant at Foundstone Professional Services. "In Hacme Casino, an attacker can subvert the application logic and exploit security vulnerabilities to improve their odds and increase their chip stack. Additionally, attackers can bypass authentication to access other users' accounts. In most real-world applications, this would be a severe breach of privacy."
The vulnerabilities in Hacme Casino can be extrapolated to a variety of other Web applications. Issues such as SQL injection and cross-site request forgery are regularly seen in real-world Web applications.
"One of goals of the Hacme series is to get developers to see how these issues may be present in their own code, which is why we have Hacme apps in a variety of platforms and commercial areas," Smolen said.
The importance of including Ajax in the tool is to show how there's so much going on under the covers that could be exploited if you don't understand the risks, Smolen said.
"In particular, Ajax apps tend to place more code on the client side and expect that code to run as is, when in reality attackers can and will analyze and modify the client side code to cause unexpected consequences," he said. "Additionally, the Ajax end point on the server may not be secured properly, as developers may not anticipate direct requests from hackers."
People key to good security testing
Smolen acknowledged that there are tools available that help with certain application security issues, but he doubts that any would detect and appropriately diagnose the issues in Hacme Casino.
"That's not to say that technology is useless in application security analysis, but it really requires the people and process elements surrounding it to be effective," Smolen said.
Hacme Casino focuses on Web application security from the testing perspective. As such, it does not provide tips or advice for closing the security holes. However, Smolen said Foundstone has courses that guide students through the process of finding and fixing vulnerabilities in Hacme applications.
If you'd like to try your luck and see if you can break the bank at Hacme Casino, download the tool from Foundstone's Web site.
For information about other free tools from Foundstone, including Hacme Bank, Hacme Books, Hacme Shipping, Hacme Travel and Hacme Flowers, visit the resource section of Foundstone's Web site.