Lesson Plan Title: Multi Level Login 2

Concept / Topic To Teach:
A Multi Level Login should provide a strong authentication. This is archived by adding a second layer. After having logged in with your user name and password you are asked for a 'Transaction Authentication Number' (TAN). This is often used by online banking. You get a list with a lots of TANs generated only for you by the bank. Each TAN is used only once. Another method is to provide the TAN by SMS. This has the advantage that an attacker can not get TANs provided by the user.

General Goal(s):
In this lesson you have to try to break into another account. You have an own account for WebGoat Financial but you want to log into another account only knowing the user name of the victim to attack.

Solution:
The solution for this lesson is similar to the solution from multi level login 1 stage 2 but the approach is a little different. This time you have only the user name of your victim but an own account on WebGoat Financial.

Log in as Joe with password banana. Now make sure the next request will be intercepted by WebScarab. Fill in the TAN you are asked for and hit the submit button. Change now the hidden_user value from Joe to Jane and you are logged in as Jane.

Figure 1: Manipulation Of The Hidden Field With WebScarab