[MUSIC] Hello everyone, welcome back. Today we're going to go
over the solution for WebGoat's session
management vulnerability. So first what we're going to do
is log in as guest as usual. And make sure that our Burp Suite's
proxy intercept is off. Then, we're going to go to
Session Management Flaws > Spoof an Authentication Cookie. So the scenario here is we
want to login as two users and look at what
the authentication looks like. So what we're going to do is
we're going to do that now. Log that in, okay. So, what we are going to do is now
that we are logged in as WebGoat, the user WebGoat, we are going to
turn on intercept on our proxy. And we are going to do a refresh and
this refresh will basically send over the authentication cookie from
the browser to the web server. And we will intercept that with Burp. So now here we see the auth
cookie that the the WebGoat user was given when it first logged in. Now because it performed to refresh, it's sending this auth
cookie back to the server. So let's, Type that our or remember it. Store it some place, because it looks
like that's kind of an interesting. The form of it is kind of interesting,
65432 and then a bunch of letters. So anyway, let's turn off intercept and
try out and log out and try to sign in with the second
user with the username aspect. So let's do that now and
we're going to do the same thing. We're going to turn on the intercept
functionality on Burp Proxy and we're going to do a refresh. That refresh is going to attempt
to send the browser's auth cookie back to the web server. So here we have this auth cookie and it looks eerily similar to the first users auth cookie, WebGoat. So now, if you have a look and
just view the pattern, you'll see here that WebGoat, it's auth cookie is 65432 and
then these letters. And then aspect is 65432, once again and these letters, but if you take the username WebGoat and you reverse it you will see
an interesting pattern. Where the way the last half of the auth cookie looks like is if you take and
compare the last half of the cookie that is has, WebGoat's
cookie, you'll see an interesting pattern. When you reverse the username and the match against the username and the half of the cookie,
you'll see this pattern of T-U-A-B-O-P-G-H-B-C-E-F-W-X So it looks like what it does is,
Interesting. Now, let's look at Aspect and
see if it holds with the same pattern. So you take the username Aspect and
you reverse it and then match it against, The first half of its auth cookie. So it says, so that part, U-D-F-Q-T-B, and once again you see this interesting
pattern that it matches one, it rotates, or reverses the username. And then what it does is for
each character in the reversed username, it increases its letter by one. Its letter value, so
here we see Aspect reversed and then T-U--D-E-F-P-Q-S-T and A-B. So why don't we do that with Alice? So we take Alice and
then we increment each character by one in the letter, in the letter order. So we have A to B, L to M,
I to J, C to D and E to F and then we reverse that so we get, after we reverse it. FDJN, and then B. So what happens if we we
concatenate F-D-J-M-B and 65432 together in order to get Alice's auth cookie? So let's do that now. Let's turn off intercept,
we're going to log out and we'll say Alice don't
have to give a password, Which is the fun part. So what we'll do is we'll turn
intercept on and we'll do a Log in. And here, we've got the traffic for
the login intercepted. So why don't we add the auth cookie
just like the previous users? So we go 645432 and then for Alice, it's FDJMB as we worked
out in our notepad here. Let's press Enter and then we'll
forward that request off to the server. Lets try that again. Okay, ABLMIJIGHIJ, yeah. ABC LMN IJK HIJK HIJ, yeah. CD and an EF. Okay, did I press that right? Let's turn off intercept, okay,
let's do that one more time. Alice, and intercept is on, Login, okay. And we'll add the semicolon and then say auth cookie equals 65432FDJMB and forward, aha, success! Look at that! We've been able to authenticate as Alice,
as you can see it says Welcome Alice. And we didn't even have
to enter in the password. So, as you can see,
we've been able to spoof an authentication cookie,
thanks for listening.