Hosting Provided By

Fail Open Authentication and Parameter Injection

From: Indian Tiger <indiantiger(at)mailandnews.com>
Date: Thu Feb 21 2002 - 13:44:26 EST

Hi,

I am learning Web Application Security Penetration Testing using WebGoat. I have some queries on this.

Fail Open Authentication
WebGoat's step 3 says: "Try removing password parameter with Achilles. " How it's possible. Is there any chance when server don't even check password if we remove password parameter.

Parameter Injection
What could be the scenario where a site is vulnerable to Parameter Injections.
I have given a thought on this but not able to think how exactly it works in practice.
Webgoat has given an example like this 'blah & netstat -a & ipconfig' But where a developer will be allowing to insert such values.

Any help on this would be highly appriciated.

Thanking You.
Sincerely,

Indian Tiger, CISSP Received on Mon Mar 24 13:48:46 2003

This message: [ Message body ]
Next message: Jeff Williams (at) Aspect: "Re: Fail Open Authentication and Parameter Injection"
Previous message: Balwant Rathore: "Pen Test Study Group in Mumbai"
Next in thread: Jeff Williams (at) Aspect: "Re: Fail Open Authentication and Parameter Injection"
Reply: Jeff Williams (at) Aspect: "Re: Fail Open Authentication and Parameter Injection"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:49 EDT

Do you need help?