Type the Username and Password as "bee" and "bug" respectively
Click on Broken Auth. - Insecure Login Forms and then "Hack"
Broken Auth. – Insecure Login Forms
Read through the code and see if you can find something interesting
Credentials in Code
So, when you view the page source (right click on page and select view page source), you should see the user credentials stored in the HTML.
This allows hackers to gain authentication with ease, anyway this won’t be the case in real time, you may see this rarely. In general we sift through the HTML comments and hidden fields, I would say that’s a good practice
Now we will see another code level flaw, select Session Mgmt. – Administrative Portals and set security level to low.
If you notice the URL /bWAPP/smgmt_admin_portal.php?admin=0, there’s a string appended after the ? with a value 0, which means the session ID was passed in the query string where anyone could see and manipulate the values.
