Lesson Plan Title: How to Bypass a Fail Open Authentication Scheme

 

Concept / Topic To Teach: Abusing error handling.

 

This lesson presents the basics for understanding the "fail open" condition regarding authentication. The security term, "fail open" describes a behavior of a verification mechanism. This is when an error (i.e. unexpected exception) occurs during a verification method causing that method to evaluate to true. This is especially dangerous during login.

 

General Goal(s):

The user should be able to bypass the authentication check.

 

Figure 1 Lesson 19

 

Solution:

 

Enter user name webgoat and click "Login". Intercept the request with WebScarab.

 

Figure 2 Intercepted request

 

Click on the variable "Password" and click "Delete". Click "Accept changes".

 

Figure 3 Password variable is deleted

 

You are now "authenticated" as WebGoat.

 

Figure 4 Lesson 19 Completed

 

The problem is that the exception handler in the Java code is executing a catch block for successful authentication. The exception occurs because there is a NullPointer exception when reading out the password parameter.