Lesson Plan Title: Multi Level Login 1

Concept / Topic To Teach:
A Multi Level Login should provide a strong authentication. This is archived by adding a second layer. After having logged in with your user name and password you are asked for a 'Transaction Authentication Number' (TAN). This is often used by online banking. You get a list with a lots of TANs generated only for you by the bank. Each TAN is used only once. Another method is to provide the TAN by SMS. This has the advantage that an attacker can not get TANs provided by the user.

General Goal(s):
In this Lesson you try to get around the strong authentication. You have to break into another account. The user name, password and a already used TAN is provided. You have to make sure the server accept the TAN even it is already used.

Solution:
This Lesson has two stages. The first stage is only to show how a multi level login works. In the second you have to breake the strong authentication.

Stage 1
This stage should be rather straight forward. Give in as name Jane and as password tarzan.


Image 1: Login Screen

Afthr clicking on the submit button you will be asked for the TAN.


Image 2: TAN Screen

Choose the correct TAN from the list provided, click on the submit button and you are done.

Stage 2
The first step in this stage is equal to Stage 1. Log in as Jane with tarzan. Now you will be asked for a TAN. Unfortunately you have only a already used TAN from the victim. Fill in the TAN you have and make sure that WebScarab will intercept the next request. Hit the submit button and change the hidden_tan value to 1.


Image 3: Manipulation Of The Hidden Field With WebScarab


Congratulations you are logged in as Jane.


Image 3: Manipulation Of The Hidden Field With WebScarab