Webgoat - Logging Security

Webgoat – Logging Security

In this walk through, we will be going through the Logging Security vulnerability section from Webgoat Labs. We will be exploring and exploiting Insecure Logging Security and learn how application are affected because of it. So, let’s get started with the Hacking without any delay.

Logging Security

1. Admin Login Logging

1. Admin Login Logging

#Random Password

admin:password 

Challenge completed

2. Logging Sensitive Information

  • In this challenge, we have to find the admin password in the application log and decode it to complete the challenge.

2. Logging Sensitive Information

  • Go through the docker image running instance terminal and find out the admin password.

logged password

admin: ZjcwODQ5YmUtNTAyMi00MjcyLThmZDQtOWU4MTFjNGVjOWUz

Admin: f70849be-5022-4272-8fd4-9e811c4ec9e3

  • Decode the encoded base64 string and get the password.

Base64 Decode

  • Submit the credentials to complete the challenge.

Challenge completed

Also Read: Webgoat – Insecure Login

Conclusion:

Conclusion

So, we finally completed the Webgoat Logging Security Vulnerability section. Next, we can mitigate these types of attacks by ensuring all login, access control failures, and server-side input validation failures can be logged with sufficient user context to identify suspicious or malicious accounts, and held for sufficient time to allow delayed forensic analysis. Along with that, ensuring high-value transactions have an audit trail with integrity controls to prevent tampering or deletion, such as append-only database tables or similar. On that note, i will take your leave and will meet you in next one with another Webgoat vulnerability writeup, till then “Keep Hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top