Shulou(Shulou.com)06/01 Report--

Introduction

It is divided into two parts, webgoat and webwolf.

Webgoat has been discussed in the last article, and webwolf is used in conjunction with webgoat, which can be seen from the introduction

Hosting a file// loads a file Receiving email/// receives mail Landing page for incoming requests// for load pages that have not been requested

-lovely dividing line

Four lesson

Lesson1 and lesson2 are tutorials, while lesson3 and 4 are red icons, and they are also the tasks we need to accomplish, which turn green when they are finished.

Let's start

Lesson1 is an introduction to webwolf, and the XXE (xml external entity) that lesson2 is talking about will be involved in later SQL injection.

Lesson3

Mission goal

Send email (email format: username @ webgoat.org) in webgoat, receive mail in wbwolf, and fill the received code into webgoat.

1. Send mail (webgoat)

Received email (webwolf)

The answer comes out.

Fill in the code to complete

Done!

Lesson4

1. Click the link to reset the password

two。 You can see the input in the web development tool

In the same way, fill in the code to complete

Done!

-disk his dividing line.

A simple understanding of two simple phishing testing procedures (provided by webgoat)

Suppose we tricked a user to click on a link he/she received in an email (deceives the user to click on the link, which is a bait), this link will open up our crafted password reset link page (opens the password reset page). The user does not see any difference with the normal password reset page of the company (the user does not know). The user enters a new password and hits enter (the user enters the new password and clicks enter), the new password will be send to your host (and the new password is sent to us). In this case the new password will be send to WebWolf (in this case, of course, it is sent to webwolf). Try to locate the unique code.

Please be aware after resetting the password the user will receive an error page in a real attack scenario the user would probably see a normal success page (this is due to a limit what we can control with WebWolf) (if it is a real phishing case, the user may see a successful page, which needs to be put into practice. After all, the use of webwolf is limited.)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.