Part 9 Lab Solutions 3

Video Activity

In this lab-based lesson, participants learn how to use the FireFox plugin TamperData to accomplish the task which is to be able to login to a financial account as a different user in order to obtain a transaction number and access data. Participants learn how to tamper with data and manipulate in the hidden field (in this case changing Joe to Jane...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
9 hours 31 minutes
Difficulty
Intermediate
CEU/CPE
10
Video Description

In this lab-based lesson, participants learn how to use the FireFox plugin TamperData to accomplish the task which is to be able to login to a financial account as a different user in order to obtain a transaction number and access data. Participants learn how to tamper with data and manipulate in the hidden field (in this case changing Joe to Jane). This shows how easy it is to spoof data.

Video Transcription
00:04
Hello and welcome to the cyber. Very secure coding course. My name is Sonny Wear, and this is AWAS top 10 for 2013 a two broken authentication and session management lab in solution.
00:19
The lab is Web goat authentication flaws.
00:23
Multi level. Log in to
00:26
now in this lab, you will see me use a Firefox plugin called tamper data.
00:33
You are free to also use tamper data if you like, or you can use birth. Sweet as we've been using in other labs, either too will accomplish the same tasks.
00:46
This is the video solution for multi level. Log in to
00:51
it says you are an attacker called Chou. You have a valid account by web coat financial.
00:57
You're goes toe log in as Jane.
01:00
Now your user name is Joe in Your password is banana.
01:06
And these are your tans.
01:07
So
01:10
there's a couple of flaws here.
01:11
Um, the first is, of course, the fact that programmers assume that
01:19
one stage happens before the next stage can happen. And I'm gonna show you how that is flawed. So
01:27
first,
01:30
go ahead and properly log in as Joe
01:34
and then next Joe would be assigned this transaction authorization number. At least that's what the programmers assume in their code.
01:45
However,
01:47
I'm gonna go ahead and
01:49
tamper the data,
01:56
and all I'm gonna do is change this hidden field here that has User Joe.
02:01
I'm just going to change that to Jane,
02:07
and then I am able to successfully log in his Jane. So unfortunately, there was a combination of problems.
02:15
One is, of course, having weak form of identification, just being hidden field
02:23
on the form itself, which can easily be
02:28
manipulated and spoofed since it's located on the quiet side.
02:34
And there wasn't any kind of validation occurring on the service side, obviously.
02:38
And then secondly, of course, this whole idea that programmers assume that
02:46
Stage one is always going to happen before Stage two can happen. There's no kind of validation check. And so he's easily able to
02:55
log in as Jane
Up Next