WebGoat/webgoat/main/project/WebContent/lesson_solutions/MultiLevelLogin2.html

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Multi Level Login 2</title>
<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> Multi Level Login 2</p>

<p><b>Concept / Topic To Teach:</b><br/>
A Multi Level Login should provide a strong authentication. 
This is archived by adding a second layer. After having logged 
in with your user name and password you are asked for a 
'Transaction Authentication Number' (TAN). This is often used by 
online banking. You get a list with a lots of TANs generated only 
for you by the bank. Each TAN is used only once. Another method is 
to provide the TAN by SMS. This has the advantage that an attacker
 can not get TANs provided by the user.
</p> 

<p><b>General Goal(s):</b><br/>
In this lesson you have to try to break into another account. 
You have an own account for WebGoat Financial but you want to log into 
another account only knowing the user name of the victim to attack.  
</p>

<b>Solution:</b><br/>
The solution for this lesson is similar to the solution from 
multi level login 1 stage 2 but the approach is a little different.
This time you have only the user name of your victim but an own account
on WebGoat Financial. <br><br>
Log in as Joe with password banana. Now make sure the next request will be intercepted
by WebScarab. Fill in the TAN you are asked for and hit the submit button.
Change now the hidden_user value from Joe to Jane and you are logged in 
as Jane.
<div align="left">
<img src="lesson_solutions/MultiLevelLogin2_files/success.png"><br>
<font size="2"><b>Figure 1: Manipulation Of The Hidden Field With WebScarab</b></font>
</div>

</body>
</html>