Disable HacmeBank localhost only access

HacmeBank is a vulnerable web application produced a few years back by Foundstone, now part of McAfee. It’s useful for teaching (learning) attack and defence techniques in web application security.

I run a VMWare (Win XP) on my Windows 7 machine, to deal with some of the Windows 7 incompatibility problems, such as dot net framework version. However I run my penetration test tools in my Windows 7 host, so I have to make the Hacmebank web application available to my host. By design, Hacmebank website application is configured to only allow local access (127.0.0.1). You can comment a line C:\Inetpub\wwwroot\HacmeBank_v2_Website\Web.config  as follows to allow remote access.

<!–   <add name =”HttpModule_onlyAllowLocalAccess” type=”HacmeBank_v2_Website.httpModules.HttpModule_onlyAllowLocalAccess,HacmeBank_v2_Website”/>  
–>

Please be aware that removing this restriction makes your computer vulnerable to remote exploit via the Hacmebank web application. In my case, that’s a VM machine, so it’s okay to do.