WebApp Sec mailing list archives
Re: need help with webgoat
From: chris () learnsecurityonline com
Date: 4 Sep 2006 18:07:08 -0000
with Version 3 it was in the source, with Version 4 which i am assuming you are using you have to append &admin=true below is an exerpt from our answer key: ---- 4-3) Remote Admin Access Applications have an administrative interface that allows privileged users access to functionality that normal users are not able to see. On top of this the application server will often have an admin interface as well. Our goal in this lesson is to gain access to the admin interface of Webgoat. While performing this exercise I discovered that Webgoat has one admin interface that is controlled via a URL parameter. http://localhost/WebGoat/attack?admin=true http://192.168.0.102/WebGoat/attack?Screen=30&admin=true This gives us access easily by circumventing the authentication and gaining access. Once we are able to gain access to the admin function we are able to see a lot of other subsections below the admin functions tab. -We append out &admin=true to the end of our request to give us the extended Admin Functions menu. -We then view our Product Information and User Information screens, ensuring we append &admin=true to the request -Once we finish that we return to our Remote Admin Access screen to get credit for completing the challenge ---- hope that helps you out Chris -- Chris Gates, CISSP C|EH, CPTS, MCP 2003, A+, Network+, Security+ Web: https://www.learnsecurityonline.com Learn Security Online, Inc. * Security Games * Simulators * Challenge Servers * Courses * Mentor Led Training * Hacklab Access ------------------------------------------------------------------------- Sponsored by: Watchfire As web applications become increasingly complex, tremendous amounts of sensitive data - personal, medical and financial - are exchanged, and stored. Consumers expect and demand security for this information. This whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download "Automated Scanning or Manual Penetration Testing?" today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm --------------------------------------------------------------------------
Current thread:
- Re: need help with webgoat chris (Sep 06)