dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
82e32acb7731ba815e376c26133869182ae40764
WebGoat/webgoat/main/project/WebContent/lesson_solutions/MultiLevelLogin1/MultiLevelLogin1.html
wirth.marcel 82e32acb77 * Hints added 
* Solutions added
* Bugfixes
* Introduction added (including how to start with webgoat and useful tools)
* New lesson: Password strength
* New lessons: Multi Level Login
* Not yet working new lesson: Session fixation (inital release)

git-svn-id: http://webgoat.googlecode.com/svn/trunk@301 4033779f-a91e-0410-96ef-6bf7bf53c507
2008-04-07 14:28:38 +00:00

50 lines
2.1 KiB
HTML
Raw Blame History

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Multi Level Login 1</title>
<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> Multi Level Login 1</p>
<p><b>Concept / Topic To Teach:</b><br/>
A Multi Level Login should provide a strong authentication.
This is archived by adding a second layer. After having logged
in with your user name and password you are asked for a
'Transaction Authentication Number' (TAN). This is often used by
online banking. You get a list with a lots of TANs generated only
for you by the bank. Each TAN is used only once. Another method is
to provide the TAN by SMS. This has the advantage that an attacker
can not get TANs provided by the user.
</p>
<p><b>General Goal(s):</b><br/>
In this Lesson you try to get around the strong authentication.
You have to break into another account. The user name, password
and a already used TAN is provided. You have to make sure the server
accept the TAN even it is already used.
</p>
<b>Solution:</b><br/>
This Lesson has two stages. The first stage is only to show how a multi level login
works. In the second you have to breake the strong authentication.
<p>
<b>Stage 1</b><br>
This stage should be rather straight forward. Give in as name Jane
and as password tarzan. Afther clicking on the submit button
you will be asked for the TAN. Choose the correct TAN from the
list provided, click on the submit button and you are done.
</p>
<p>
<b>Stage 2</b><br>
The first step in this stage is equal to Stage 1. Log in as Jane with tarzan.
Now you will be asked for a TAN. Unfortunately the TAN you have only a already
used TAN from the victim. Fill in the TAN you have and make sure that WebScarab
will intercept the next request. Hit the submit button and change the hidden_tan
value to 1. Congratulations you are logged in as Jane.
</p>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink