From aldeid
Jump to navigation Jump to search


Data tampering is used to bypass controls that are executed on client side. in this lesson, you will learn how to use the Interceptor to tamper a request in order to divert the sending of a mail.


Our example will be based on WebGoat, Bypass a Path Based Access Control Scheme. In this example, there is a given list of files you can view by clicking on the "View File" button:


The list of files is taken from this directory: /usr/local/www/webgoat/tomcat/webapps/webgoat/lesson_plans/English/

We would like to access this file: /usr/local/www/webgoat/tomcat/webapps/webgoat/main.jsp

From the current directory, the relative path to our target is: ../../main.jsp. This is what we call a Directory Traversal attack.

To do it with Watobo, open the interceptor mode (Tools > Interceptor) and check the "Requests" checkbox.

Point your browser to http://localhost:8080/webgoat/attack?Screen=99&menu=200, select a file from the list and click on the "View file" button. Go back to Watobo and analyze the request:


We notice that the filename is transmitted as a parameter. Transform the request by replacing the initial filename with "../../main.jsp" and click on the "Accept" button. You have bypassed the control executed on the client side!