Lesson Plan Title: Remote Admin Access

 

Concept / Topic To Teach:

Applications will often have an administrative interface that allows privileged users access to functionality that normal users shouldn't see. The application server will often have an admin interface as well.

 

General Goal(s):

Try to access the administrative interface for WebGoat. You may also try to access the administrative interface for Tomcat. The Tomcat admin interface can be accessed via a URL (/admin) and will not count towards the completion of this lesson.

 

Figure 1 Lesson 7

 

Solution:

 

Append &admin=true to the URL in the browser and hit “Enter”

 

Open the menu “Admin functions” and notice that you have additional menu options like “Database Dump”, “User Information” and “Product Information”.

 

Figure 2 Some extra admin functions

 

Clicking on “User Information” will not work. This is because the URL behind “User Information” is http://localhost/WebGoat/attack?Screen=71&menu=10 does not contain the parameter admin=true. Rewrite the URL to become http://localhost/WebGoat/attack?Screen=71&menu=10&admin=true

 

Remark: the parameter Screen is generated randomly and can be different in your environment!

 

Figure 3 Lesson 7 Completed