Skip to content

Lab 05 Broken Authentication

Jump to bottom
Tomas Rosenqvist edited this page Nov 16, 2018 · 17 revisions

Broken authentication

Challenge "Password strength"

  1. Download the password dictionary to your computer.
  2. Start OWASP ZAP.
  3. Launch Firefox with ZAP as its proxy by selecting Firefox in the dropdown and then clicking the "Launch Browser" button.
  4. Enter your Juice Shop url.
  5. Go to the Login page and attempt to login using admin@juice-sh.op as the username and a random non-empty password.
  6. Check the History tab in ZAP.
  7. Select the most recent HTTP POST request and inspect the request and response.
  8. Right click the POST request and choose Attack -> Fuzz.
  9. Select the password you entered in the Body and click Add.
  10. Click Add and add a File Fuzzer, using the dictionary you downloaded in step 1 as the source.
  11. Start the Fuzzer.
  12. Check if any of the fuzzed requests generated anything useful.

Questions

  • How could this vulnerability be negated in the application?

Recommended reading

Clone this wiki locally