Security Misconfiguration

Security Misconfiguration in Web Goat

Step 1 − Launch Webgoat and navigate to insecure configuration section and let us try to solve that challenge. Snapshot of the same is provided below −

Step 2 − We can try out as many options as we can think of. All we need to find the URL of config file and we know that the developers follow kind of naming convention for config files. It can be anything that is listed below.

It is usually done by BRUTE force technique. •web.config •config •appname.config •conf

Step 3 − Upon trying various options, we find that http://10.0.2.6/WebGoat/conf is successful.

The following page is displayed if the attempt is successful −

PreviousInsecure Direct Object Reference NextPassword Guessing Attack

Last updated 3 years ago