Hey everyone. Hopefully you had a chance to play with this individual authentication bypass which resembles the PayPal vulnerability from a few years ago. So I'm just going to walk through this as if this is my first time going through this just to go through the thought process and what steps I actually take in doing this. So I'm using my Firefox browser and it's configured to work with Burp, and I'm only intercepting on posts from my browser. I'll go ahead and submit test test. So the first thing I did as I'm sure a lot of you guys tried was actually just removing this to see what it would do. Eventually, when I realized that that wasn't working I tried replacing my inputs with a lot of data, just to see if there was some condition that would make that work and that was a false assumption. Next, I tried replacing these security questions with security answer zero if there were some logical issue there where they keyed off of that. So I had security answer your answer zero and security answer one, but that did not work either. The next thing that I tried, was actually incrementing the security questions zero to security question two and security question one to security question three. When I forwarded that that actually did work and took me to change your password field and I changed my password to test and test, and that was the end of it. So that completed this module. So, even though we got this working, mainly going through it in all reality you're probably not going to do this manually. So I'm going to reset this lesson and retry, and we would potentially do this in an automated fashion to give us our end result. WEBGOAT gets buggy sometime so you may have to refresh it. There we go. Lesson two. All right. So I'm only going to submit my tests. It would be unrealistic for us to try every permutation to see what works. What I tried to do the first time without knowing what the answer was, I tried to put in a lot of texts for questions one and two, assuming that would cause it to have an issue that didn't work. Eventually, I started incrementing question one, two and three. Maybe there was a logic issue in the back-end and didn't really have an answer for question one, two and three. So I simply change question zero to question two, and I left the answer empty. My thinking was maybe if the back-end logic has a question two but they never provided an answer for it, and then I changed question one to question three, and then I also removed the answer for that. So that was my thought process when I went about testing this and that worked. I'm going to reset this again and refresh the page. All right. But obviously that's really unrealistic to try to think of every permutation and there is a more methodical approach to this. So I'm going to put test again through these and intercept this. Burp has a bunch of utilities built-in to make this task a little bit easier. So I am going to send this to Intruder. Intruder essentially allows us to pick parts of our payload and automatically be able to fuzz it and go through a bunch of different scenarios. So I'm going to clear what it'd already picked for me. I'm not interested in fuzzing those values. I'm more interested in maybe fuzzing that zero, maybe fuzzing that one, and then fuzzing the answers to each of the questions. We also want to use a tactile pitchfork that allows us to individually manipulate payload zero, payload one, payload two and payload three. So going in our payloads for one, I think I want to do Numbers, and I'm going to start from zero to 1000, and we'll try whatever that is, 10 million different tries. We're going to start from zero digits to 10 digits, and we're not going to do any fractions, we're just going do with actual integers. For payload two I want to do numbers as well, and we're going to use the same metrics. Actually payload two, this is the second item in here. So for payload two maybe we want to do Brute forcer. I don't know what the answers would be at this point, so I would just leave it as is. For payload three we're going to want to do Numbers, and we'll just start from zero going to 10,000 and then randomly 10,000 times. We'll start with zero digits to 100 digits and no fractions. Then finally payload four, we're going to do Brute forcer again, and we'll go from four characters to four characters. Okay. So let's go ahead and start this and see what we get. I get a warning that I have the community edition so it's going to be throttled and and that's perfectly fine. I wanted to demonstrate that the community edition for those of you just getting into the field is sufficient. This is the best piece of software I've ever bought, so I definitely pay for the enterprise version every year. So we'll go ahead and start our attack and it's going to start sending a bunch of different packets in there. I'm going to pause this so that it doesn't keep going. Very quickly you'll see that the very first time the payload was sent, it tried the defaults and the length of the contents we got back was 366. But the very second time that I try to fuzz any of the parameters, and let's see what it try to fuzz it with, it made our security question 3778, and aaaa was the answer, and then some other random security question took the second place. You notice that content length changed. If we actually go to the responses, the first one you'll see lesson completed false. On the second one you're going to see lesson completed true. So we actually did figure out what request we needed to send to go through this. So you could actually come back here now and rerun your entire test using your proxy in interception mode, and go through the little steps together. So I'm going to pause the video here. What I'd like you to do is go through the code and try to find the vulnerability or the logical flaw or configuration flaw or whatever it may be in this code. So it isn't the authentication bypass, it's in a package called org.owasp.webgoat.plugin and it's in one of those three files. So try to find it and patch it. Make sure to take screenshots per the guidelines for each of the labs, and I'll see you in the next video