Hackazon is a free, vulnerable test site that is an online storefront built with the same technologies used in today’s rich client and mobile applications. Hackazon has an AJAX interface, strict workflows and RESTful API’s used by a companion mobile app providing uniquely-effective training and testing ground for IT security professionals. And, it’s full of your favorite vulnerabilities like SQL Injection, cross-site scripting and so on.

2. Hackazon
Hackazon is a free, vulnerable test site that is an online storefront built with
the same technologies used in today’s rich client and mobile applications.
Hackazon has an AJAX interface, strict workflows and RESTful API’s used by a
companion mobile app providing uniquely-effective training and testing
ground for IT security professionals. And, it’s full of your favorite vulnerabilities
like SQL Injection, cross-site scripting and so on.

3. Links
• Internet: http://hackazon.webscantest.com
• Info:
• http://cybersecology.com/hackazon-review/
• https://github.com/rapid7/hackazon
• Installation: https://appspider.help.rapid7.com/docs/hackazon-installation-guide
• Testing:
• https://github.com/rapid7/hackazon/blob/master/VULNERABILITIES.md
• https://appspider.help.rapid7.com/docs/conducting-a-basic-test-manually-
against-hackazon
• https://blog.securityevaluators.com/hacking-hackazon-2bda9830ccf0

4. Tools
• BurpSuite
• OwaspZap
• Nexpose

5. Registration verification via email

6. Don’t Save passwords to browser
To prevent the browser from saving passwords (and usernames), you need to:
•copy username and password to hidden form fields before submitting the login form
•clear the visible username and password fields
•set autocomplete=off for good measure
This makes the browser attempt to save empty credentials, or not save at all.
A login form might look like this:
COPY
<form action='/login' class='login-form' autocomplete='off'>
Email: <input type='email' name='email-entry'> <input type='hidden' name='email'>
Password: <input type='password' name='password-entry'> <input type='hidden'
name='password'>
</form>
<script> $('.login-form').on('submit', function() {
$('[name="email"]').val($('[name="email-entry"]').val()); $('[name="email-entry"]').val('');
$('[name="password"]').val($('[name="password-entry"]').val()); $('[name="password-
entry"]').val(''); }); </script>
https://makandracards.com/makandra/34245-
how-to-disable-auto-complete-on-login-forms

7. Captcha on registration
Integrate Google reCAPTCHA in your website
To integrate it into your website you need to put it in the client side as well as
in Server side. In client HTML page you need to integrate this line before the
tag.
<script src="https://www.google.com/recaptcha/api.js?render=put your
site key here"></script>
Google reCAPTCHA v3 is invisible. You won’t see a captcha form of any sort
on your web page. You need to capture the google captcha response in your
JavaScript code. Here is a small snippet.
<script src="https://www.google.com/recaptcha/api.js?render=put your site
key here"></script>
<script>
grecaptcha.ready(function() {
grecaptcha.execute('put your site key
here', {action:'homepage'}).then(function(token) {
// pass the token to the backend script for verification
});
});
</script>
https://codeforgeek.com/google-recaptcha-v3-tutorial/

8. Session Fixation
Update session after:
• Registration
• Authorization
• Password change
• Logout

9. User Enumeration
Prevent any information
about user existence

10. Password guessing
Use Burp Intruder to guess password for previously enumerated users

11. SQL Injections
$name = $_POST['name']; // $_POST['name'] == "a'='a' OR 1=1 #"
$query = "SELECT name, password FROM user WHERE name='" .
$name . "' AND role = 'user'";
Blind injection identified by Sleep command
Prevention:
• Prepared Statements (with Parameterized Queries)
• Use of Stored Procedures
• Whitelist Input Validation
• Escaping All User Supplied Input
• Enforcing Least Privilege
• Performing Whitelist Input Validation
https://github.com/OWASP/CheatSheetSeries/blob/master/
cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.md
Unsafe:
String query = "SELECT account_balance FROM us
er_data WHERE user_name = "
+ request.getParameter("customerName"); try {
Statement statement = connection.createStatement(
... );
ResultSet results = statement.executeQuery( query )
; }

12. Remote File Include
RFI Injection allows to use an app
logic where the app includes some file
based on user input. In our app it's
implemented in the Help Articles
section:
http://hackazon.webscantest.com/accoun
t/help_articles?page=/etc/passwd%00

13. XSS
Implement test cases based on https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

14. File Input (XXE, XSS Persistent)
http://hackazon.webscantest.com/user_pictures/e8/PersistFileXSS.html
<html>
<script>
alert(document.cookie);
</script>
</html>
Potential XXE
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [
<!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd"
>]><foo>&xxe;</foo>

15. CSRF
•Write wrappers (that would auto add tokens when used) around default form
tags/ajax calls and educate your developers to use those wrappers instead of
standard tags. Though this approach is better than depending purely on
developers to add tokens, it still is vulnerable to the issue of human tendency to
forget things. Spring Security uses this technique to add CSRF tokens by default
when a custom <form:form> tag is used, you can opt to use after verifying that its
enabled and properly configured in the Spring Security version you are using.
•Write a hook (that would capture the traffic and add tokens to CSRF vulnerable
resources before rendering to customers) in your organizational web rendering
frameworks. Because it is hard to analyze when a particular response is doing
any state change (and thus needing a token), you might want to include tokens
in all CSRF vulnerable resources (ex: include tokens in all POST responses).
This is one recommended approach, but you need to consider the performance
costs it might incur.
•Get the tokens automatically added on the client side when the page is being
rendered in user’s browser, with help of a client side script (this approach is
used by CSRF Guard). You need to consider any possible JavaScript hijacking
attacks.
https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross-
Site_Request_Forgery_Prevention_Cheat_Sheet.md

16. Open Redirect
• Link to authorization:
hackazon.webscantest.com/user/login?return_url=https://hack.me

17. IDOR
“id”, “user_id”, “value”, “pid”, “post_id”
https://www.bugcrowd.com/blog/how-
to-find-idor-insecure-direct-object-
reference-vulnerabilities-for-large-bounty-
rewards/
INSECURE
DIRECT
OBJECT
REFERENCE

18. 101 Web Hacking
https://darkweblinks.org/files/hacking/scribd-
download.com_web-hacking-101.pdf