Re: webgoat breaking

[<karifsmith () hotmail com>]

In-Reply-To: <005201c2f3a7$d113f7f0$6301a8c0 () intranet aspectsecurity com>

Ok.. I ended up getting past the first stage by looking at the source..
after all, it WAS on my PC ;)

But I'd like to know what the proper way to access the source code would 
be.  I don't think that was mentioned in the WebGoat exercises.  Please 
point me in the right direction if I'm just being dense.. 

Thanks!

> Anyway, you can solve the authentication stage by figuring out how to
> access the source code and then just checking the logic.  You're right
> that it is not based on SQL.  Another solid reason for code review, but
> that's another thread.  There is another way to get the credentials by
> sniffing the network, but it's not realistic in most environments and was
> intended to teach a different skill.
>
> Good luck,
>
> --Jeff
>
> Jeff Williams
> Aspect Security, Inc.
> http://www.aspectsecurity.com