5d930ec235
* Solutions added * Bugfixes * Introduction added (including how to start with webgoat and useful tools) * New lesson: Password strength * New lessons: Multi Level Login * Not yet working new lesson: Session fixation (inital release) git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@301 4033779f-a91e-0410-96ef-6bf7bf53c507
21 lines
956 B
HTML
21 lines
956 B
HTML
<div align="Center">
|
|
<p><b>Lesson Plan Title:</b> Multi Level Login 1</p>
|
|
</div>
|
|
<p><b>Concept / Topic To Teach:</b> </p>
|
|
<!-- Start Instructions -->
|
|
A Multi Level Login should provide a strong authentication.
|
|
This is archived by adding a second layer. After having
|
|
logged in with your user name and password you are asked
|
|
for a 'Transaction Authentication Number' (TAN). This is
|
|
often used by online banking. You get a list with a lots
|
|
of TANs generated only for you by the bank. Each TAN is used only once.
|
|
Another method is to provide the TAN by SMS. This has
|
|
the advantage that an attacker can not get TANs provided
|
|
by the user.
|
|
<p><b>General Goal(s):</b> </p>
|
|
In this Lesson you try to get around the strong authentication.
|
|
You have to break into another account. The user name, password and a
|
|
already used TAN is provided. You have to make sure
|
|
the server accept the TAN even it is already used.
|
|
<!-- Stop Instructions -->
|