WebApp Sec mailing list archives
Fail Open Authentication and Parameter Injection
From: "Indian Tiger" <indiantiger () mailandnews com>
Date: Fri, 22 Feb 2002 00:14:26 +0530
Hi, I am learning Web Application Security Penetration Testing using WebGoat. I have some queries on this. Fail Open Authentication WebGoat's step 3 says: "Try removing password parameter with Achilles. " How it's possible. Is there any chance when server don't even check password if we remove password parameter. Parameter Injection What could be the scenario where a site is vulnerable to Parameter Injections. I have given a thought on this but not able to think how exactly it works in practice. Webgoat has given an example like this 'blah & netstat -a & ipconfig' But where a developer will be allowing to insert such values. Any help on this would be highly appriciated. Thanking You. Sincerely, Indian Tiger, CISSP
Current thread:
- Fail Open Authentication and Parameter Injection Indian Tiger (Mar 24)
- Re: Fail Open Authentication and Parameter Injection Jeff Williams @ Aspect (Mar 24)
- <Possible follow-ups>
- RE: Fail Open Authentication and Parameter Injection Dawes, Rogan (ZA - Johannesburg) (Mar 25)
- Re: Fail Open Authentication and Parameter Injection Jeff Williams @ Aspect (Mar 25)
- Re: Fail Open Authentication and Parameter Injection Gary Gwin (Mar 27)
- Re: Fail Open Authentication and Parameter Injection Jeff Williams @ Aspect (Mar 25)
- RE: Fail Open Authentication and Parameter Injection Ramirez, Manuel N (CORP, DDEMESIS) (Mar 25)