# Broken Authentication with bWAPP
## URL - [`http://192.168.31.112:8086`](http://192.168.31.112:8086)
Let's exploit this vulnerability in practical.
* Kindly Open **bWaPP**
* **Click on Install**
* Type the Username and Password as "bee" and "bug" respectively
*
**Click on Broken Auth**. - Insecure Login Forms and then "**Hack"**
**Read through the code and see if you can find something interesting**
So, when you view the page source (right click on page and select view page source), you should see the user credentials stored in the HTML.
This allows hackers to gain authentication with ease, anyway this won’t be the case in real time, you may see this rarely. In general we sift through the HTML comments and hidden fields, I would say that’s a good practice
**\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*Challenge Completed\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\***
Now we will see another code level flaw, select `Session Mgmt. – Administrative Portals` and set security level to `low`.
If you notice the URL `/bWAPP/smgmt_admin_portal.php?admin=0`, there’s a string appended after the `?` with a value `0`, which means the session ID was passed in the query string where anyone could see and manipulate the values.
Let’s change the value from `0` to `1`.
If your URL is not the same, Kindly go to
