OWASP Bricks Login Pages

Imported OWASP virtual machine in VirtualBox, and attached to internal network. Logged into OWASP virtual machine using username ‘root’ and password ‘owaspbwa’. In Kali, navigated to 10.10.10.6/owaspbricks/login-1/ to access first challenge.

In username and password fields entered test’ or ‘a’=’a

Login successful!

Navigated to ‘http://10.10.10.6/owaspbricks/login-2/’. Tried same values for username and password as before. Error window indicated this form will not accept special characters.

In order to jack up the POST request to take my special characters anyways, I configured browser to use a manual proxy.

Started burp suite session and in Proxy, enabled intercept. In Login page, entered ‘potato’ for username and ‘tomato’ for password. In intercepted request, modified parameters for username and password to ‘test’ or ‘a’=’a’ and forwarded request.

Login successful!

Disabled Intercept and navigated to ‘http://10.10.10.6/owaspbricks/login-3/’. Entered username and password as in first brick. Login unsuccessful, but error received indicated that our syntax should probably be modified to account for parentheses.

Entered test’) or (‘a’=’a for username and password. Successful login!

Navigated to ‘http://10.10.10.6/owaspbricks/login-4/’. Entered username and password as in login-3. Login unsuccessful but error received indicated that our syntax should probably be modified to account for quotation marks.

Entered test”) or (‘a’=”a for username and password. Successful login!

Navigated to ‘http://10.10.10.6/owaspbricks/login-5/’. Entered username and password as in login-3. Login unsuccessful but error received indicated that hashing is at play.

Entered test’ or ‘a’=’a’# for username and 38150e50e04a5508425197a1f78d54ec for password. Login successful!

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top