Who wants to be a Millionaire

March 7, 2012, by | Start Discussion

Everyone wants to be Millionaire and this article is just going to tell you how you can become one. The Web 2.0 has opened lots of opportunities and possibilities along with lots of security issues. One of the popular technology is “Flash” along with its never ending security issues. People laugh when they hear the terms “Flash” and “Security” together. Industry experts say that Flash is actually moving the ball towards ease of use and functionality and thus compromises on security.

Here we are actually trying to show you the security issues related with Flash applications and how you can test or exploit them for fun and profit.

Let’s get our lab ready, all that you needed are:

  1. OWASP Mantra Security Framework –  http://www.getmantra.com/
  2. Who wants to be a Millionaire flash game – http://sourceforge.net/projects/vulfa
  3. HTTP File Server – http://www.rejetto.com/hfs/

Now call up your bank and make all the arrangements in advance to transfer this huge amount, don’t blame us at the end for not informing you 😉

Extract the contents from the archives. We want a HTTP server to properly run the game. HFS will serve this purpose, just run it and point it to the folder where we have extracted Who Wants to Be a Millionaire.zip.
Just below the menu button you can see your HTTP server IP address and URL. Paste it onto Mantra address bar.

Step 2:

Get failed in the game somehow. We know it’s hard for you, but do it. Once you fail game will ask you whether you would like to replay the game or not. Before clicking on “Replay” go to OWASP Logo  Tools  Application Auditing  Tamper Data

Step 3:

Now go back to the game and press on “Replay” button.

Tamper Data will come up with a pop up asking you to tamper the request or not. Click on “Tamper” button.

Step 4:

Copy the POST_DATA and paste it into any note taking application like Notepad.

Step 5:

Now all you have to do is to go ahead with playing the game. All the answer keys are there in the POST_DATA. You can use the search feature of your note taking application to find the correct answer easily.

In the above screenshot, EditPad is used for taking the notes in Mantra itself and “Find” feature of Mantra helps to easily find out the answer.

You can also watch it at – http://youtube.com/watch?v=aPk5vCqh-2k

Happy Hacking!!!

Abhi M Balakrishnan is an Electronics hobbyist turned Hacktivist, Working as Information Security Consultant to put food on his table and roof over his head and has Performed several security consulting assignments in the area of penetration testing, code reviews, web application assessments, security architecture reviews etc.

Leave a Reply