Part 8 Lab Solutions 2

00:04

Hello and welcome to the cyber. Very secure coding course. My name is Sonny Wear, and this is a WASP top 10 for 2013 a two broken authentication and session management lab in solution.

00:18

This lab is going to be inside of web goat. The authentication flaws. Multi level log in one.

00:27

Now, please note that in this lab I'm actually going to use a Firefox plugin called Tamper Data.

00:35

You are free to use tamper data for this exercise as well. Or if you would like to use burp sweet as we've been using in other labs, you can certainly use that tool as well. Both will accomplish the same tasks.

00:50

This is the video solution forthe indication flaws. Multilevel log In one. It says stage wine. This state is just to show how a classic multi longan works. Your goal is to do a regular log Innes Jane with password Tarzan.

01:07

And you have the following Tan's so tan stands for transaction authorization number. So I'm gonna go ahead and long in as Jame.

01:17

That's what Tarzan.

01:21

The first transaction number I get assigned Is this.

01:26

So it says now you are a hacker who already has stolen some information from Jane by phishing e mail.

01:33

You have the password, which we know is Tarzan.

01:37

Ah, but the first tan has already been used, right? So? So I can't do any kind of session fixation on that particular number

01:49

unnecessarily that I know of. Um,

01:52

although I'm going to try it. So it says the problem is the first and has already used try to break into the system. Anyway,

02:00

if the programmer does not change or check for for the same used tan than possibly I could break ins and log out,

02:13

and, uh,

02:19

okay. And so tan, too has to be a valid number. But what I'm gonna do is go ahead and

02:30

start to tamper.

02:43

And I was able to log in because there was no check