[OWASP-WEBGOAT]WebGoat Walkthru? (May be a spoiler, so if you haven't completed the lessons, you may not want to look at it)
Martin G. Nystrom
xianman at employees.org
Thu Nov 20 14:06:34 EST 2003
> WEAK AUTHENTICATION COOKIE: This one was neat, because it
> had a little crypt-o-gram type puzzle (jeff/jeff creates the
> cookie ggfkggfk whereas dave/dave creates the cookie
> fwbefwbe, they're reversed and incremented by 1 letter).
> This didn't actually buy us anything as far as i can tell,
> except the 'AuthCookie'. I logged in with jeff/jeff and upon
> logging out, I noticed that the cookie had an
> 'AuthCookie=ggfkggfk' so I put it in the Cookie field of
> PenProcy and it worked:
I've found that I can only hijack an existing session using this. I open
two browsers, login with one, then login with a submitted AuthCookie in the
other. I use Sleuth from sandsprite.com for that.
More information about the Owasp-webgoat
mailing list