Fail Open Authentication Scheme

Improper Error Handling

Fail Open Auth Scheme

  • This lesson presents the basics for understanding the "fail open" condition regarding authentication

  • The security term, "fail open", describes a behavior of a verification mechanism

    • This is when an error (I.e. unexpected exception) occurs during a verification method causing that method to evaluate to true

    • This is especially dangerous during login

Solution

  • Login as webgoat

  • Password could be anything or blank

  • Intercept the request with webscarab

  • Delete the password row in the request

PreviousCSRF Token BypassNextCommand Injection

Last updated