WebGoat Password Reset 2 4

WebGoat Password Reset 2

WebGoat Password Reset lesson 2

The lesson needs WebWolf to be completed, first thing to do is to fill the “Forgot password” form

Reset password email sent

You have to use your WebGoat username@<anything here>

WebWolf email client

And on WebWolf we have our “Forgot password” email

Lesson completed

Go back to the “Account access” form, fill it with your email and the password from WebWolf mail client and the lesson is completed

WebGoat Password Reset 4

WebGoat Password Reset lesson 4

This lesson is about obtaining another user’s password

Password recovery with given credentials

Let’s fill the recover password form with the given credentials

Password recovery form on Burp

We now have our request on Burp

We know the usernames (tom,admin,larry) and the question is about the name of a color, so let’s try to brute force it with Burp Intruder

Burp Intruder payload positions

On intruder let’s select “Cluster Bomb” as we have to try every username with every color name (the ones I came up with)

First payload list

The first payload list is the username one

Second payload list

In the second payload list just put some color names and then start the attack

Intruder attack complete

After Intruder has finished the attaack, sort the responses by “Length” and straight away the username-password pairs show up

This concludes WebGoat Password Reset 2 4

I hope you liked it.

PVXs — https://twitter.com/pivixih