WebApp Sec mailing list archives
Re: webgoat breaking
From: <karifsmith () hotmail com>
Date: 21 May 2003 21:41:13 -0000
In-Reply-To: <005201c2f3a7$d113f7f0$6301a8c0 () intranet aspectsecurity com> Ok.. I ended up getting past the first stage by looking at the source.. after all, it WAS on my PC ;) But I'd like to know what the proper way to access the source code would be. I don't think that was mentioned in the WebGoat exercises. Please point me in the right direction if I'm just being dense.. Thanks!
Anyway, you can solve the authentication stage by figuring out how to access the source code and then just checking the logic. You're right that it is not based on SQL. Another solid reason for code review, but that's another thread. There is another way to get the credentials by sniffing the network, but it's not realistic in most environments and was intended to teach a different skill. Good luck, --Jeff Jeff Williams Aspect Security, Inc. http://www.aspectsecurity.com
Current thread:
- Re: webgoat breaking karifsmith (May 22)
- Re: webgoat breaking Jeff Williams @ Aspect (May 22)