Re: webgoat breaking

["Jeff Williams @ Aspect" <jeff.williams () aspectsecurity com>]

You can get the source code through the application itself by figuring out
the right URL.  If you look closely at the web site structure (which you can
figure out by looking at all the pages), the location of the source is
pretty obvious.  You can then use the names of other pages to guess the name
of the source file.

--Jeff


Jeff Williams
Aspect SecurityT
Securing your applications at the source
http://www.aspectsecurity.com




----- Original Message ----- 
From: karifsmith () hotmail com
To: webappsec () securityfocus com
Sent: Wednesday, May 21, 2003 5:41 PM
Subject: Re: webgoat breaking


In-Reply-To: <005201c2f3a7$d113f7f0$6301a8c0 () intranet aspectsecurity com>

Ok.. I ended up getting past the first stage by looking at the source..
after all, it WAS on my PC ;)

But I'd like to know what the proper way to access the source code would
be.  I don't think that was mentioned in the WebGoat exercises.  Please
point me in the right direction if I'm just being dense..

Thanks!

> Anyway, you can solve the authentication stage by figuring out how to
> access the source code and then just checking the logic.  You're right
> that it is not based on SQL.  Another solid reason for code review, but
> that's another thread.  There is another way to get the credentials by
> sniffing the network, but it's not realistic in most environments and was
> intended to teach a different skill.
>
> Good luck,
>
> --Jeff
>
> Jeff Williams
> Aspect Security, Inc.
> http://www.aspectsecurity.com