WebApp Sec mailing list archives
Re: webgoat breaking
From: "Jeff Williams @ Aspect" <jeff.williams () aspectsecurity com>
Date: Thu, 22 May 2003 09:06:38 -0400
You can get the source code through the application itself by figuring out the right URL. If you look closely at the web site structure (which you can figure out by looking at all the pages), the location of the source is pretty obvious. You can then use the names of other pages to guess the name of the source file. --Jeff Jeff Williams Aspect SecurityT Securing your applications at the source http://www.aspectsecurity.com ----- Original Message ----- From: karifsmith () hotmail com To: webappsec () securityfocus com Sent: Wednesday, May 21, 2003 5:41 PM Subject: Re: webgoat breaking In-Reply-To: <005201c2f3a7$d113f7f0$6301a8c0 () intranet aspectsecurity com> Ok.. I ended up getting past the first stage by looking at the source.. after all, it WAS on my PC ;) But I'd like to know what the proper way to access the source code would be. I don't think that was mentioned in the WebGoat exercises. Please point me in the right direction if I'm just being dense.. Thanks!
Anyway, you can solve the authentication stage by figuring out how to access the source code and then just checking the logic. You're right that it is not based on SQL. Another solid reason for code review, but that's another thread. There is another way to get the credentials by sniffing the network, but it's not realistic in most environments and was intended to teach a different skill. Good luck, --Jeff Jeff Williams Aspect Security, Inc. http://www.aspectsecurity.com
Current thread:
- Re: webgoat breaking karifsmith (May 22)
- Re: webgoat breaking Jeff Williams @ Aspect (May 22)