Part 9 Lab Solutions 3

Video Activity

In this lab-based lesson, participants learn how to use the FireFox plugin TamperData to accomplish the task which is to be able to login to a financial account as a different user in order to obtain a transaction number and access data. Participants learn how to tamper with data and manipulate in the hidden field (in this case changing Joe to Jane...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
or
View all SSO options

Already have an account? Sign In »

Secure Coding
Course
Time
9 hours 31 minutes
Difficulty
Intermediate
CEU/CPE
10
Video Description

In this lab-based lesson, participants learn how to use the FireFox plugin TamperData to accomplish the task which is to be able to login to a financial account as a different user in order to obtain a transaction number and access data. Participants learn how to tamper with data and manipulate in the hidden field (in this case changing Joe to Jane). This shows how easy it is to spoof data.

Video Transcription
00:04
Hello and welcome to the cyber. Very secure coding course. My name is Sonny Wear, and this is AWAS top 10 for 2013 a two broken authentication and session management lab in solution.
00:19
The lab is Web goat authentication flaws.
00:23
Multi level. Log in to
00:26
now in this lab, you will see me use a Firefox plugin called tamper data.
00:33
You are free to also use tamper data if you like, or you can use birth. Sweet as we've been using in other labs, either too will accomplish the same tasks.
00:46
This is the video solution for multi level. Log in to
00:51
it says you are an attacker called Chou. You have a valid account by web coat financial.
00:57
You're goes toe log in as Jane.
01:00
Now your user name is Joe in Your password is banana.
01:06
And these are your tans.
01:07
So
01:10
there's a couple of flaws here.
01:11
Um, the first is, of course, the fact that programmers assume that
01:19
one stage happens before the next stage can happen. And I'm gonna show you how that is flawed. So
01:27
first,
01:30
go ahead and properly log in as Joe
01:34
and then next Joe would be assigned this transaction authorization number. At least that's what the programmers assume in their code.
01:45
However,
01:47
I'm gonna go ahead and
01:49
tamper the data,
01:56
and all I'm gonna do is change this hidden field here that has User Joe.
02:01
I'm just going to change that to Jane,
02:07
and then I am able to successfully log in his Jane. So unfortunately, there was a combination of problems.
02:15
One is, of course, having weak form of identification, just being hidden field
02:23
on the form itself, which can easily be
02:28
manipulated and spoofed since it's located on the quiet side.
02:34
And there wasn't any kind of validation occurring on the service side, obviously.
02:38
And then secondly, of course, this whole idea that programmers assume that
02:46
Stage one is always going to happen before Stage two can happen. There's no kind of validation check. And so he's easily able to
02:55
log in as Jane
Up Next
View All
Secure Coding

In the Secure Coding training course, Sunny Wear will show you how secure coding is important when it comes to lowering risk and vulnerabilities. Learn about XSS, Direct Object Reference, Data Exposure, Buffer Overflows, & Resource Management.

View Course
Instructed By
Sunny Wear
Sunny Wear
Instructor
Similar Content
OWASP
OWASP

Established in 2001, the Open Web Application Security Project (OWASP) offers free security tools and ...

Cybrary
Course
Beginner
12 CEU/CPE Hours Available
Certificate of Completion Offered
Python Coding - Basic
Python Coding - Basic

The Python Coding - Basic test is a premium Cybrary assessment test created by Interview ...

Interview Mocha
Assessment
Intermediate
Intro to Python
Intro to Python

This is an introductory course on Python for cyber security, giving students the ability to ...

Cybrary
Course
Beginner
3 CEU/CPE Hours Available
Certificate of Completion Offered
Popular