In this walk through, we will be going through the Logging Security vulnerability section from Webgoat Labs. We will be exploring and exploiting Insecure Logging Security and learn how application are affected because of it. So, let’s get started with the Hacking without any delay.
Table of Contents
1. Admin Login Logging
#Random Password admin:password
2. Logging Sensitive Information
- In this challenge, we have to find the admin password in the application log and decode it to complete the challenge.
- Go through the docker image running instance terminal and find out the admin password.
admin: ZjcwODQ5YmUtNTAyMi00MjcyLThmZDQtOWU4MTFjNGVjOWUz Admin: f70849be-5022-4272-8fd4-9e811c4ec9e3
- Decode the encoded base64 string and get the password.
- Submit the credentials to complete the challenge.
Also Read: Webgoat – Insecure Login
Conclusion:
So, we finally completed the Webgoat Logging Security Vulnerability section. Next, we can mitigate these types of attacks by ensuring all login, access control failures, and server-side input validation failures can be logged with sufficient user context to identify suspicious or malicious accounts, and held for sufficient time to allow delayed forensic analysis. Along with that, ensuring high-value transactions have an audit trail with integrity controls to prevent tampering or deletion, such as append-only database tables or similar. On that note, i will take your leave and will meet you in next one with another Webgoat vulnerability writeup, till then “Keep Hacking”.