From aldeid
Jump to: navigation, search


Data tampering is used to bypass controls that are executed on client side. in this lesson, you will learn how to use the Interceptor to tamper a request in order to divert the sending of a mail.


Our example will be based on WebGoat, Bypass a Path Based Access Control Scheme. In this example, there is a given list of files you can view by clicking on the "View File" button:


The list of files is taken from this directory: /usr/local/www/webgoat/tomcat/webapps/webgoat/lesson_plans/English/

We would like to access this file: /usr/local/www/webgoat/tomcat/webapps/webgoat/main.jsp

From the current directory, the relative path to our target is: ../../main.jsp. This is what we call a Directory Traversal attack.

To do it with Watobo, open the interceptor mode (Tools > Interceptor) and check the "Requests" checkbox.

Point your browser to http://localhost:8080/webgoat/attack?Screen=99&menu=200, select a file from the list and click on the "View file" button. Go back to Watobo and analyze the request:


We notice that the filename is transmitted as a parameter. Transform the request by replacing the initial filename with "../../main.jsp" and click on the "Accept" button. You have bypassed the control executed on the client side!