Webgoat - Authentication Bypasses

Webgoat – Authentication Bypasses

In this walk through, we will be going through the Authentication Bypasses vulnerability section from Webgoat Labs. We will be exploring and exploiting Authentication Bypasses in Verify Account functionality and learn how application are affected because of it. So, let’s get started with the Hacking without any delay.

Authentication Bypasses

1. 2FA Password Reset

  • In this challenge, we have to bypass the 2FA Password Reset functionality which uses security questions to confirm the user’s identity.

2FA Password Reset

  • I intercepted the request via Burpsuite and changed the security question no.s in the POST payload parameter which bypass the check and thus marked our challenge as complete.

Burpsuite intercept

Changing paramters

Account verified

Also Read: Webgoat – Admin lost password



So, we finally completed the Webgoat Authentication Bypasses Vulnerability section. Next, we can mitigate these types of attacks by processing data more on the server side and not give the user the access to interfere with the application’s logic by manipulating data on client side. On that note, i will take your leave and will meet you in next one with another Webgoat vulnerability writeup, till then “Keep Hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top