username=attacker&securityQuestion=What+is+your+favorite+color%3F&answer=red The server accepts this because it only checks that answer matches the securityQuestion for some user – but it doesn’t tie the answer to the original username ( tom ). The server now thinks you (attacker) have correctly answered the security question and sends a reset code to your email (simulated in WebGoat’s console or logs). Look for a line like: Your password reset code is: 123456 Step 5: Reset the Victim’s Password Now send the final POST request to actually change the password. Intercept the password reset submission and modify it as follows:

WebGoat (OWASP’s deliberately insecure web application) is the perfect training ground for understanding real-world security flaws. Lesson 6 – Password Reset focuses on a classic logic flaw: Insecure Password Recovery .

Always ask: “Does each step of this process cryptographically prove that the user is who they claim to be?” Try it yourself: Download WebGoat (https://github.com/WebGoat/WebGoat) and complete Lesson 6. Then fix the code and re‑test.

The request will look something like this:

POST /WebGoat/PasswordReset/reset/reset-password/confirm-password-reset ... username=tom&resetCode=123456&newPassword=Hacked123!

POST /WebGoat/PasswordReset/reset/reset-password/answer-security-question Host: localhost:8080 ... username=tom&securityQuestion=What+is+your+favorite+color%3F&answer=red The trick: the server does not verify if the username matches the person answering the question. Change the username parameter to your own account (e.g., attacker ) but keep the securityQuestion and answer unchanged.

2 Comments

  1. Reset 6: Webgoat Password

    username=attacker&securityQuestion=What+is+your+favorite+color%3F&answer=red The server accepts this because it only checks that answer matches the securityQuestion for some user – but it doesn’t tie the answer to the original username ( tom ). The server now thinks you (attacker) have correctly answered the security question and sends a reset code to your email (simulated in WebGoat’s console or logs). Look for a line like: Your password reset code is: 123456 Step 5: Reset the Victim’s Password Now send the final POST request to actually change the password. Intercept the password reset submission and modify it as follows:

    WebGoat (OWASP’s deliberately insecure web application) is the perfect training ground for understanding real-world security flaws. Lesson 6 – Password Reset focuses on a classic logic flaw: Insecure Password Recovery . webgoat password reset 6

    Always ask: “Does each step of this process cryptographically prove that the user is who they claim to be?” Try it yourself: Download WebGoat (https://github.com/WebGoat/WebGoat) and complete Lesson 6. Then fix the code and re‑test. Intercept the password reset submission and modify it

    The request will look something like this: Then fix the code and re‑test

    POST /WebGoat/PasswordReset/reset/reset-password/confirm-password-reset ... username=tom&resetCode=123456&newPassword=Hacked123!

    POST /WebGoat/PasswordReset/reset/reset-password/answer-security-question Host: localhost:8080 ... username=tom&securityQuestion=What+is+your+favorite+color%3F&answer=red The trick: the server does not verify if the username matches the person answering the question. Change the username parameter to your own account (e.g., attacker ) but keep the securityQuestion and answer unchanged.

  2. I hope the Rafael is not the father maybe Scott threw out Rafael’s sperm and replaced it with his. That would be great! Jane should pick Rafael
    there on screen chemistry is great . He is the father. Michael should
    fall for Petra I like them together.

Comments are closed.

Related Articles

No Picture
Competition

Cycle 20 of “America’s Next Top Model” will include male models

October 16, 2012 Jeff Pfeiffer Competition, Reality TV, TV News & Program Updates

The CW announced today that it has ordered a 20th cycle of its hit reality series America’s Next Top Model. As part of the network’s ongoing strategy to increase its amount of summer programming, it says that Cycle 20 of ANTM will debut in Summer 2013 (no premiere date yet). In even bigger news, for the first time, male models will be added to the group of contestants competing for the title of America’s Next Top Model. The men will move into the models’ house alongside the women. The CW also says that in Cycle 20, viewers will continue to […]

No Picture
Comedy

Recap: Crazy Ex-Girlfriend Episode 1 – Josh Just Happens to Live Here!

October 12, 2015 StayTuned Staff Comedy, Recap

Recap: Crazy Ex-Girlfriend Episode 1: “Josh Just Happens to Live Here!” The CW, original airdate Mon. 10/12/15 (For all Crazy Ex recaps, click here.) The long-awaited CW hourlong musical comedy Crazy Ex-Girlfriend premiered tonight, and in my humble opinion, it was fantastic. The show’s co-creator and star Rachel Bloom is hilarious — and I already can’t wait for next week. For those of you who missed the premiere and plan on watching it later, go no further in this blog, as I’m recapping the whole kit and caboodle. Spoilers abound! (But when you’re done watching, I beg you in my own […]

No Picture
Comedy

Jane the Virgin Chapter 49 recap: The Witch is Back!

November 14, 2016 StayTuned Staff Comedy, Drama, Recap

It’s been three months since poor Petra has been paralyzed and Anezka has been running her life. Luckily, after last week’s episode of Jane the Virgin, Jane and Rafael feel they’ve cracked Anezka’s dirty plan. Alba finally caved in and let Jane read all the letters from her sister, Cecilia. She didn’t expect to receive a phone call from her sister after letting Jane read the letters. After 42 years of not having Cecilia in her life, Alba is furious that Jane made contact by donating to the family’s fund for medicine. Ouch! Alba has never been mad at Jane […]

© 2025 StayTuned Magazine