Lesson Plan Title: How to Exploit the Forgot Password Page

 

Concept / Topic To Teach:

Web applications frequently provide their users the ability to retrieve a forgotten password. Unfortunately, many web applications fail to implement the mechanism properly. The information required to verify the identity of the user is often overly simplistic.

 

General Goal(s):

Users can retrieve their password if they can answer the secret question properly. There is no lock-out mechanism on this 'Forgot Password' page. Your username is 'webgoat' and your favorite color is 'red'. The goal is to retrieve the password of another user.

 

Solution:

 

This lesson will show you how easy it is to guess a secret question and retrieve somebody else his password.

 

Figure 1 Lesson 10

 

When you enter the user name webgoat and then the answer "red" for your favorite color, you will get a password reminder, only not via e-mail.

 

Figure 2 Submit the answer red

 

Figure 3 Password reminder for user webgoat

 

The password for user webgoat is webgoat. This is a weak password policy, which is also a bad thing J

 

Now you need to guess the password for another user. The text tells you something about an "OWASP admin". So let’s try "admin" for a user name.

 

Figure 4 Is there a user admin?

 

This works. Now you need the guess some colors.

 

Figure 5 There is a user admin!

 

 

Try blue, red and green for example.

 

Figure 6 No blue

 

Blue is an incorrect response.

 

Figure 7 It's green!

 

Green is the correct answer and now you know the difficult password for user admin.