Applied Information Security : A3 Engineering

once the web server is running (i.e. when you see "starting web server" in the console output), you can access PayBud by navigating to http://localhost:5000 in your browser. we recommend using the chromium browser (it’s installed on Kali Linux); PayBud is bugged in FireFox (last we checked).

the database which stores users and accounts is initially empty. Before attempting to log in (or hack a user account), make sure that said user account exists (i.e. create it first).

if you want PayBud to be able to send e-mails, then create a gmail account (leaving optional fields blank), enable less secure apps on the account, and replace the hard-coded credentials in EM.java with the credentials of this new account. if you want PayBud users to receive e-mails, consider using Mailinator. For instance, all e-mail sent to alice@mailinator.com will end up in the alice "Public Mailinator Inbox" (which you, and anyone, can view here).

we use patator to perform dictionary attacks. it is a great tool. unfortunately, (at the time of writing,) there is a bug in one of the libraries patator in Kali uses. to fix it, download patator-patch and, in the directory where you saved it, run

$ sudo patch /usr/bin/python patator-patch

if you want to dictionary attack PayBud, modify the following command accordingly (see exercise sessions on how to obtain pw.lst. pick a password from pw.lst, e.g. " nightshade " w/o quotes).

$ PYTHONWARNINGS=ignore patator http_fuzz url="http://localhost:5000/api/login?email=alice@mailinator.com&password=FILE0" 0=pw.lst -x ignore:code=401

download the binary distribution, extract it, make bin/spotbugs executable, and add bin/spotbugs to the PATH.