00:04
Hello and welcome to the cyber. Very secure coding course. My name is Sonny Wear, and this is AWAS top 10 for 2013 a two broken authentication and session management lab in solution.
00:19
The lab is Web goat authentication flaws.
00:23
Multi level. Log in to
00:26
now in this lab, you will see me use a Firefox plugin called tamper data.
00:33
You are free to also use tamper data if you like, or you can use birth. Sweet as we've been using in other labs, either too will accomplish the same tasks.
00:46
This is the video solution for multi level. Log in to
00:51
it says you are an attacker called Chou. You have a valid account by web coat financial.
00:57
You're goes toe log in as Jane.
01:00
Now your user name is Joe in Your password is banana.
01:06
And these are your tans.
01:10
there's a couple of flaws here.
01:11
Um, the first is, of course, the fact that programmers assume that
01:19
one stage happens before the next stage can happen. And I'm gonna show you how that is flawed. So
01:30
go ahead and properly log in as Joe
01:34
and then next Joe would be assigned this transaction authorization number. At least that's what the programmers assume in their code.
01:47
I'm gonna go ahead and
01:56
and all I'm gonna do is change this hidden field here that has User Joe.
02:01
I'm just going to change that to Jane,
02:07
and then I am able to successfully log in his Jane. So unfortunately, there was a combination of problems.
02:15
One is, of course, having weak form of identification, just being hidden field
02:23
on the form itself, which can easily be
02:28
manipulated and spoofed since it's located on the quiet side.
02:34
And there wasn't any kind of validation occurring on the service side, obviously.
02:38
And then secondly, of course, this whole idea that programmers assume that
02:46
Stage one is always going to happen before Stage two can happen. There's no kind of validation check. And so he's easily able to