In this walk through, we will be going through the Admin lost password vulnerability section from Webgoat Labs. We will be exploring and exploiting Login panels with Admin lost password and learn how application are affected because of it. So, let’s get started with the Hacking without any delay.
- In this challenge, we have to find the admin’s lost password and sign it with it to get the flag.
- I intercepted the request via Burpsuite and analzyed the response.
- After banging my head here and there, the only asset on the page which seems something different as it has no extension was our logo image.
- I enabled all the filter for The MIME type in our Burpsuite HTTP history and filter our logo file.
- Searching through the response for the string “Admin” reveals us the password.
- Logged in with the found password and got the flag. Submit it to complete the challenge.
admin: !!webgoat_admin_1179!!
Also Read: Webgoat – Bypass front-end restrictions
Conclusion:
So, we finally completed the Webgoat Admin lost password Vulnerability section. Next, we can mitigate these types of attacks by processing data more on the server side and not give the user the access to interfere with the application’s logic by manipulating data on client side. On that note, i will take your leave and will meet you in next one with another Webgoat vulnerability writeup, till then “Keep Hacking”.