A9:2021 | Logging Security (4) | Cycubix Docs

Let’s try

  • Some servers provide Administrator credentials at the boot-up of the server.

  • The goal of this challenge is to find the secret in the application log of the WebGoat server to login as the Admin user.

  • Note that we tried to "protect" it. Can you decode it?


  • Click on submit and open the developer tools. You will be able to identify the post request under the session "log-bleeding".

  • Now, open the terminal of your docker container, where you started your WebGoat session and look for the password for admin.

  • To to Burp or Zap decoder and decode the key into base64.

  • Insert in the lesson the decoded key as a password and the user Admin (the response is case sensitive).

Last updated