Scribd Logo
Upload

Welcome to Scribd!

  • 77 views

    Authentication Bypassing Using WebGoat and BurpSuite

    Uploaded by

    Rezuanul Hoque
    The document provides instructions for setting up an OWASP WebGoat environment using Docker to run vulnerability lessons. It describes downloading and running WebGoat and Burp Suite, identifying the WebGoat IP address, scanning for vulnerabilities with Burp Suite, and exploiting an authentication bypass vulnerability by modifying parameter names.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Authentication Bypassing Using WebGoat and BurpSuite

    Uploaded by

    Rezuanul Hoque
    77 views8 pages
    The document provides instructions for setting up an OWASP WebGoat environment using Docker to run vulnerability lessons. It describes downloading and running WebGoat and Burp Suite, identifying the WebGoat IP address, scanning for vulnerabilities with Burp Suite, and exploiting an authentication bypass vulnerability by modifying parameter names.

    Original Title

    Authentication Bypassing using WebGoat and BurpSuite

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document provides instructions for setting up an OWASP WebGoat environment using Docker to run vulnerability lessons. It describes downloading and running WebGoat and Burp Suite, identifying the WebGoat IP address, scanning for vulnerabilities with Burp Suite, and exploiting an authentication bypass vulnerability by modifying parameter names.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    77 views8 pages

    Authentication Bypassing Using WebGoat and BurpSuite

    Uploaded by

    Rezuanul Hoque
    The document provides instructions for setting up an OWASP WebGoat environment using Docker to run vulnerability lessons. It describes downloading and running WebGoat and Burp Suite, identifying the WebGoat IP address, scanning for vulnerabilities with Burp Suite, and exploiting an authentication bypass vulnerability by modifying parameter names.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 8

    1.

    Setup Environment

    • Download and install OWASP WebGoat :

    ➔ Download & install docker desktop. Also add the C:\Program


    Files\Docker\Docker files to the environment variable path.
    (https://docs.docker.com/desktop/install/windows-install/)

    ➔ Open VS Code in your project folder and start a new terminal in VS code.
    Type:
    docker pull webgoat/webgoat-8.0
    docker run -p 8881:8080 -t webgoat/webgoat-8.0
    (Your WebGoat will be running on port 8881. Access URL is-
    127.0.0.1:8881/WebGoat/login)

    Register a new user with username and password & agree to the terms
    and conditions.
    If you have done ever steps up untill now smoothly, you will have your
    WebGoat running on your web browser and get to see this page.

    • Install a suitable penetration testing tool (Burp Suite)

    ➔ Download the community edition of the Brup Suite and run it as default.
    When you will start burp suit, keep every prompt as it is and just click
    “next” & “start burp” until you see this page:
    (https://portswigger.net/burp/communitydownload)
    2. Scanning and Enumeration

    • Identify the IP address of your WebGoat instance:

    ➔ Open Burp Suite and go to Proxy section and click on Open browser:

    ➔ Turn on “Intercept” and write the url on proxy browser to access WebGoat
    login page:
    ➔ From “Docker ps” command we can see the WebGoat container is
    runnning on 0.0.0.0:8881 ip address and port. That means it can be run
    from your local host IP address (Loopback IP & Private IP). You can
    access the WebGoat is both ways:

    127.0.0.1:8881/WebGoat/login
    <Private_IP_of_host>:8881/WebGoat/login

    From the intercept panel you can also verify the IP address of WebGoat.
    (Loopback & Private IP)

    • Use your chosen tool to scan and enumerate vulnerabilities in the


    WebGoat:

    ➔ WebGoat has OWASP Top-10 web application vulnerabilities for learning


    and testing purposes. Today we are goinng to exploit the “Broken
    Authentication” (API2:2023 - Broken Authentication) part of WebGoat. To
    be more specific, we are going to bypass the authentication method.

    3. Exploitation

    • Choose one vulnerability you discovered and attempt to exploit it:

    ➔ Select the lab portion of the “Authentication Bypasses” and keep


    “intercept on” in the burp suit.
    ➔ We are going to exploit the “Security Question” authentication part to
    bypass the authentication method. Read more -
    https://henryhoggard.co.uk/blog/Paypal-2FA-Bypass

    Scroll down and fill in the information on the 2 boxes and click submit.
    Remember to keep on the intercept button in burp suite.

    ➔ Click on the forward button in burp suite untill you see this portion:
    ➔ Now modify the names of “secQuestion0 & secQuestion1” into
    “secQuestion2 & secQuestion3” and click on the Forward button.

    ➔ Go to the proxy browser and you will see that you have successfully
    authenticated as yourself.

    We didn’t know the value of the parameters, so we removed/modified them


    from the submission all together to gain access.

    You might also like