Part 9 Lab Solutions 3 | Cybrary

.banner-container.gbi--1590043120-r2snjfjE7mPYjEEsxx9HGz:before { opacity: 1; background-image: url('//images.ctfassets.net/kvf8rpi09wgk/2nM30UF152ailv6BlqiBup/e9295ddb35cd3d6ed96d37c70757143c/Secure_Coding.jpg?w=500&q=55'); }

Video Activity

Create Free Account

In this lab-based lesson, participants learn how to use the FireFox plugin TamperData to accomplish the task which is to be able to login to a financial account as a different user in order to obtain a transaction number and access data. Participants learn how to tamper with data and manipulate in the hidden field (in this case changing Joe to Jane...

OR

Already have an account? Sign In »

Time

9 hours 31 minutes

Difficulty

Intermediate

CEU/CPE

10

Create Free Account

In this lab-based lesson, participants learn how to use the FireFox plugin TamperData to accomplish the task which is to be able to login to a financial account as a different user in order to obtain a transaction number and access data. Participants learn how to tamper with data and manipulate in the hidden field (in this case changing Joe to Jane). This shows how easy it is to spoof data.

00:04

Hello and welcome to the cyber. Very secure coding course. My name is Sonny Wear, and this is AWAS top 10 for 2013 a two broken authentication and session management lab in solution.

00:19

The lab is Web goat authentication flaws.

00:23

Multi level. Log in to

00:26

now in this lab, you will see me use a Firefox plugin called tamper data.

00:33

You are free to also use tamper data if you like, or you can use birth. Sweet as we've been using in other labs, either too will accomplish the same tasks.

00:46

This is the video solution for multi level. Log in to

00:51

it says you are an attacker called Chou. You have a valid account by web coat financial.

00:57

You're goes toe log in as Jane.

01:00

Now your user name is Joe in Your password is banana.

01:06

And these are your tans.

01:07

So

01:10

there's a couple of flaws here.

01:11

Um, the first is, of course, the fact that programmers assume that

01:19

one stage happens before the next stage can happen. And I'm gonna show you how that is flawed. So

01:27

first,

01:30

go ahead and properly log in as Joe

01:34

and then next Joe would be assigned this transaction authorization number. At least that's what the programmers assume in their code.

01:45

However,

01:47

I'm gonna go ahead and

01:49

tamper the data,

01:56

and all I'm gonna do is change this hidden field here that has User Joe.

02:01

I'm just going to change that to Jane,

02:07

and then I am able to successfully log in his Jane. So unfortunately, there was a combination of problems.

02:15

One is, of course, having weak form of identification, just being hidden field

02:23

on the form itself, which can easily be

02:28

manipulated and spoofed since it's located on the quiet side.

02:34

And there wasn't any kind of validation occurring on the service side, obviously.

02:38

And then secondly, of course, this whole idea that programmers assume that

02:46

Stage one is always going to happen before Stage two can happen. There's no kind of validation check. And so he's easily able to

02:55

log in as Jane

Part 2 Explanations

Part 3 Reflected XSS HTML context Demo

Part 4 Reflected XSS JS context Demo

Part 5 Stored Demo

In the Secure Coding training course, Sunny Wear will show you how secure coding is important when it comes to lowering risk and vulnerabilities. Learn about XSS, Direct Object Reference, Data Exposure, Buffer Overflows, & Resource Management.