InfoSec Write-ups – Medium–
Second WebGoat challenge, we have to log in as Larry, let’s see what’s in here
The “Forgot Password” link is fake and not much in HTML source
Burp shows that, apart from the request to /WebGoat/Challenge5.lesson.lesson and its HTML, there is not much else when requesting the page
There is a /WebGoat/lesson_css/challenge6.css file loaded for the challenge but it does not have anything interesting inside
Let’s try to log in as Larry
Here’s the login request on Burp, and of course “password” is not the correct password
If username and password parameters are present but their value is missing in the request, the challenge will complain for the lack of input
If username or password parameter is missing altogether, we get error status code 400 — Bad Request
the “remember” parameter is optional both in value and in parameter presence
let’s see what happens by putting a single quote in
We get a nice Java SQL exception
And by checking the error, there we have the login SQL query
So yes we have SQL injection here
There you go, we have logged in as Larry and the response has a flag further down the feedback string
Put the flag in the lesson submit field and you are done
This concludes WebGoat Without password Challenge
I hope you liked it.
PVXs — https://twitter.com/pivixih
WebGoat Without password Challenge was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.
Hacker's Directory 