82e32acb77
* Solutions added * Bugfixes * Introduction added (including how to start with webgoat and useful tools) * New lesson: Password strength * New lessons: Multi Level Login * Not yet working new lesson: Session fixation (inital release) git-svn-id: http://webgoat.googlecode.com/svn/trunk@301 4033779f-a91e-0410-96ef-6bf7bf53c507
20 lines
917 B
HTML
20 lines
917 B
HTML
<div align="Center">
|
|
<p><b>Lesson Plan Title:</b> Multi Level Login 2</p>
|
|
</div>
|
|
<p><b>Concept / Topic To Teach:</b> </p>
|
|
<!-- Start Instructions -->
|
|
A Multi Level Login should provide a strong authentication.
|
|
This is archived by adding a second layer. After having
|
|
logged in with your user name and password you are asked
|
|
for a 'Transaction Authentication Number' (TAN). This is
|
|
often used by online banking. You get a list with a lots
|
|
of TANs generated only for you by the bank. Each TAN is used only once.
|
|
Another method is to provide the TAN by SMS. This has
|
|
the advantage that an attacker can not get TANs provided
|
|
by the user.
|
|
<p><b>General Goal(s):</b> </p>
|
|
In this lesson you have to try to break into another account.
|
|
You have an own account for WebGoat Financial but you want to
|
|
log into another account only knowing the user name of the victim
|
|
to attack.
|
|
<!-- Stop Instructions --> |