Lesson
Plan Title: Basic
Authentication
Concept /
Topic To Teach:
Basic
Authentication is used to protect server side resources. The web server will send
a 401 authentication request with the response for the requested resource. The
client side browser will then prompt the user for a user name and password
using a browser supplied dialog box. The browser will base64 encode the user
name and password and send those credentials back to the web server. The web
server will then validate the credentials and return the requested resource if
the credentials are correct.
These
credentials are automatically resent for each page protected with this
mechanism without requiring the user to enter their credentials again.
General
Goal(s):
For this
lesson, your goal is to understand Basic Authentication and answer the
questions below.
Figure 1 Lesson 13
To learn the
name of the authentication header you must click “Submit” and intercept the
request with WebScarab.
Figure 2 Intercepted request
The HTTP
header that contains the Basic Authentication information is called
"Authorization". This value Z3Vlc3Q6Z3Vlc3Q= is Base64 encoded. You can decode
this by using WebScarab > Tools > Transcoder.
Figure 3 WebScarabs Transcoder
Click Base64
decode.
Figure 4 Decode value
These values must
be used to complete the questions.
Figure 5 Answers
Figure 6 Part 1 completed
For this
lesson it is very important that you understand how the JSESSIONID cookie is
used for session management and how the basic authorization header is used for
authentication.
When WebGoat
is able to retrieve a valid session you are automatically redirected to the
lesson you are working on. When there is no valid session, WebGoat will create
a new JSESSIONID and you will see the first lesson, HTTP Basics.
When there is
no session cookie, WebGoat will first verify if you already authenticated. If
not, you will get a pop-up window from the browser that requests your user name
and password (guest/guest). After the user credentials are validated, you will
access the Start-page of WebGoat and WebGoat will create a new JSESSIONID for
this session.
To access
WebGoat as the user basic, you need to corrupt the existing JSESSIONID and the
Authorization header. You can do this in WebScarab. Intercept the request and
delete a character from the JSESSIONID value and the Authorization header.
WebGoat will
require you to authenticate, so you now enter for the user name basic and for
the password basic. This logs you on as the user basic.
Remember our
JSESSIONID? This JSESSIONID is a non-persistent cookie which is set during our
first visit. Every request from the browser to WebGoat will have this cookie
value. Corrupting this value in the previous request will not change the cookie
value stored in browser memory and that is the reason why the old JSESSIONID
cookie is sent in every request.
Figure 7 Basic Authentication
You clearly
see that the JSESSIONID is the same like in the previous request, but the
Authorization header now contains the Base 64 encoded value of basic:basic (you
can decode this value in WebScarab > Tools > Transcoder).
Figure 8 Logged on as user basic
Because of the
valid JSESSIONID, WebGoat retrieves the authenticated user via the server-side
session object using getSession().getUser(). To make WebGoat believe that you
are authenticated as basic, you need to corrupt the JSESSIONID, as shown in the
screenshot below.
Figure 9 Corrupt JSESSIONID
Figure 10 Start page for user basic
Now you are
redirected to the WebGoat start page. The JSESSIONID is changed and you lost all
your green stars because the basic user hasn’t completed any lesson. Go to the
lesson "Basic Authentication" to complete this lesson.
Figure 11 Lesson 13 Completed
