[OWASP-WEBGOAT]WebGoat Walkthru? (May be a spoiler, so if you haven't completed the lessons, you may not want to look at it)
Glyn
glyng at moiler.com
Thu Nov 20 18:34:54 EST 2003
Look at the format of cookies and compare to the input criteria. Get
your junior spy-cap on and see if you spot the pattern...
> -----Original Message-----
> From: owasp-webgoat-admin at lists.sourceforge.net
> [mailto:owasp-webgoat-admin at lists.sourceforge.net] On Behalf
> Of Martin G. Nystrom
> Sent: 21 November 2003 05:07
> To: 'Jeremy Junginger'; owasp-webgoat at lists.sourceforge.net
> Subject: RE: [OWASP-WEBGOAT]WebGoat Walkthru? (May be a
> spoiler, so if you haven't completed the lessons, you may not
> want to look at it)
>
>
>
> > WEAK AUTHENTICATION COOKIE: This one was neat, because it
> > had a little crypt-o-gram type puzzle (jeff/jeff creates the
> > cookie ggfkggfk whereas dave/dave creates the cookie
> > fwbefwbe, they're reversed and incremented by 1 letter).
> > This didn't actually buy us anything as far as i can tell,
> > except the 'AuthCookie'. I logged in with jeff/jeff and upon
> > logging out, I noticed that the cookie had an
> > 'AuthCookie=ggfkggfk' so I put it in the Cookie field of
> > PenProcy and it worked:
>
> I've found that I can only hijack an existing session using
> this. I open two browsers, login with one, then login with a
> submitted AuthCookie in the other. I use Sleuth from
> sandsprite.com for that.
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: SF.net Giveback Program.
> Does SourceForge.net help you be more productive? Does it
> help you create better code? SHARE THE LOVE, and help us
> help YOU! Click Here: http://sourceforge.net/donate/
> _______________________________________________
> OWASP-WEBGOAT mailing list
> OWASP-WEBGOAT at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-webgoat
>
More information about the Owasp-webgoat
mailing list