webgoat – WindowsTechs.com

Broken access control – (Missing Function Level Access Control lab), keeps returning error for user hash [closed]

Posted on February 9, 2023 by Jamal S

WebGoat V2023.3 – (A1) Broken access Control – Missing Function Level Access Control lab
I managed to pull the users/hashes list by changing the GET request for /WebGoat/access-control/users adding Content-Type: application/json
Got the li… Continue reading Broken access control – (Missing Function Level Access Control lab), keeps returning error for user hash [closed]→

What is happening to second response in HTTP Splitting?

Posted on March 27, 2021 by 4d4143

Doing the webgoat HTTP splitting exercise. I feel like I’m doing something wrong or there is something that I don’t understand.
The idea is that since we can control the referer parameter, we can split the request into 2 and have the serve… Continue reading What is happening to second response in HTTP Splitting?→

Cannot get WebGoat and BurpSuite talking through Chrome proxy

Posted on February 22, 2021 by hotmeatballsoup

I’m trying to play with BurpSuite by attacking a local instance of WebGoat (intentionally vulnerable web app) and am having some difficulty getting the proxy setup.
I am on a MacOS (important) and using Chrome for the browser.
WebGoat runs… Continue reading Cannot get WebGoat and BurpSuite talking through Chrome proxy→

Configuration to use OWASP WebGoat whilw online? [closed]

Posted on August 16, 2020 by o.m.

OWASP WebGoat is a deliberately insecure webapplication with a set of tutorials how to hack it (and how to protect your own application). OWASP advises to disconnect from the internet while using it since it is an insecure application afte… Continue reading Configuration to use OWASP WebGoat whilw online? [closed]→

Thinking of a Cybersecurity Career? Read This

Posted on July 24, 2020 by BrianKrebs

Thousand of people graduate from colleges and universities each year with cybersecurity or computer science degrees only to find employers are less than thrilled about their hands-on, foundational skills. Here’s a look at a recent survey that identified some of the bigger skills gaps, and some thoughts about how those seeking a career in these fields can better stand out from the crowd. Continue reading Thinking of a Cybersecurity Career? Read This→

Is there a difference between editing HTTP messages manually or with burp for example? (WebGoat HTTP intercept exercise "problem")

Posted on December 24, 2019 by Ivan

I am diving now into WebGoat, there’s this little exercise in the “general” tab calle d “http proxies” which asks you to use zap/burp to intercept and modify a request, this is what is being us asked.

I understood what is … Continue reading Is there a difference between editing HTTP messages manually or with burp for example? (WebGoat HTTP intercept exercise "problem")→

Unable to proxy Webgoat localhost requests in spite of doing the necessary configurations

Posted on June 2, 2019 by Razor Sharp

I am new to Webgoat and followed all the steps required to configure Firefox and Webgoat.

1 Setup Local proxies in webgoat to run on localhost 8090
2 Exported the certificate and imported it in Firefox
3 Setup Proxy in Fire… Continue reading Unable to proxy Webgoat localhost requests in spite of doing the necessary configurations→

WebGoat 8: JWT Tokens Lesson 5 using hashcat to crack signature

Posted on April 24, 2019 by Kavish Gour

I cracked the hash, and I got this:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJXZWJHb2F0IFRva2VuIEJ1aWxkZXIiLCJpYXQiOjE1MjQyMTA5MDQsImV4cCI6MTYxODkwNTMwNCwiYXVkIjoid2ViZ29hdC5vcmciLCJzdWIiOiJ0b21Ad2ViZ29hdC5jb20iLCJ1c2V… Continue reading WebGoat 8: JWT Tokens Lesson 5 using hashcat to crack signature→

CSRF methods: img vs iframe vs form/javascript

Posted on December 17, 2018 by hubbabubba

I have a questions concerning methods for executing CSRF. I did the CSRF Prompt By-pass lesson in WebGoat (Lessons -> Cross-site Scripting -> CSRF Prompt By-pass). The lesson requires you to craft an email message that sends … Continue reading CSRF methods: img vs iframe vs form/javascript→

Can anyone provide a hint for Webgoat 8’s Deserialization exercise?

Posted on November 9, 2018 by mcgyver5

Working on the Deserialization exercise in Webgoat (v. 8)

The Burp extension “Java Deserialization Scanner” detects that this page is potentially vulnerable to the Hibernate 5 (sleep) payload.

However, the payload used in… Continue reading Can anyone provide a hint for Webgoat 8’s Deserialization exercise?→