This course will become read-only in the near future. Tell us at if that is a problem.

Authetntication Flaws


Read the lessons under “Authentication Flaws."



Work the exercises of "Authentication Flaws.

The practice "Basic Authentication" requires WebScarab to view and edit the HTTP traffic, some hints are:

  • Once you start WebScarab configure it in menu Tools->Proxies, using "" port "3128" as "HTTP Proxy"
  • Then configure your browser to use that proxy (with Firefox from Edit->Preferences, Network, Settings and as HTTP Proxy, use with port 3128 and remove and localhost from the section "No proxy for").
  • After that start a session with WebGoat, when you intercept packets with WebScarab, you will see that every header includes one called Authorization with the login and password encoded in base64. To decode it you can use an online service or the Tool included in WebScarab in the menu Tools->Transcoder.


Briefly discuss your experience this week. Some ideas follow but you don’t have to answer all the questions. Did you learn something interesting? Was there something confusing in the lesson that you had to look up? If so, what was it? Did you have any issues installing the tools? Was it too much or too little work? Anything to add to it to make it better for the next round of students? Anything else you’d like to discuss about this week’s lesson?

A discussion works best when there are at least two people involved so I encourage you to comment on other people’s posts!

Task Discussion