WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: need help with webgoat

From: chris () learnsecurityonline com
Date: 4 Sep 2006 18:07:08 -0000
with Version 3 it was in the source, with Version 4 which i am assuming you are using you have to append &admin=true

below is an exerpt from our answer key:

----

4-3)  Remote Admin Access

Applications have an administrative interface that allows privileged users access to functionality that normal users 
are not able to see. On top of this the application server will often have an admin interface as well.

Our goal in this lesson is to gain access to the admin interface of Webgoat. While performing this exercise I 
discovered that Webgoat has one admin interface that is controlled via a URL parameter.

http://localhost/WebGoat/attack?admin=true 

http://192.168.0.102/WebGoat/attack?Screen=30&admin=true 

This gives us access easily by circumventing the authentication and gaining access.

Once we are able to gain access to the admin function we are able to see a lot of other subsections below the admin 
functions tab.

-We append out &admin=true to the end of our request to give us the extended Admin Functions menu.

-We then view our Product Information and User Information screens, ensuring we append &admin=true to the request

-Once we finish that we return to our Remote Admin Access screen to get credit for completing the challenge
----

hope that helps you out

Chris

-- 

Chris Gates, CISSP
C|EH, CPTS, MCP 2003, A+, Network+, Security+

Web:        https://www.learnsecurityonline.com

Learn Security Online, Inc.

* Security Games        * Simulators
* Challenge Servers     * Courses
* Mentor Led Training   * Hacklab Access

-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of 
sensitive data - personal, medical and financial - are exchanged, and 
stored. Consumers expect and demand security for this information. This 
whitepaper examines a few vulnerability detection methods - specifically 
comparing and contrasting manual penetration testing with automated 
scanning tools. Download "Automated Scanning or Manual Penetration 
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: