Password for Neville Bartholomew is not "neville"

wimlampaert / webgoat

Automatically exported from code.google.com/p/webgoat

0 stars 0 forks source link

Password for Neville Bartholomew is not "neville" #21

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago

What steps will reproduce the problem?
1. Try to login with Neville's id, on, for example, Role Based Access Control
2. Use the password "neville"
3. Get the error "login failed"

All of the other users appear to be functioning correctly.

Original issue reported on code.google.com by soylentm...@gmail.com on 6 Jan 2009 at 8:45

GoogleCodeExporter commented 8 years ago

Original comment by soylentm...@gmail.com on 6 Jan 2009 at 8:46

Changed state: New

GoogleCodeExporter commented 8 years ago

This is a feature of the "neville" account.  The neville account is used for SQL
Injection of the login request and therefore the password is different.

Original comment by mayhe...@gmail.com on 21 Jan 2009 at 2:07

Changed state: Invalid

GoogleCodeExporter commented 8 years ago

Okay, I guess then that the bug is that the descriptions of the passwords on the
other tasks (the ones that say all the passwords are the first names) is wrong. 
 I'll
update the descriptions, then.

Original comment by soylentm...@gmail.com on 21 Jan 2009 at 4:09

GoogleCodeExporter commented 8 years ago

That's a hard call.  On the one hand you want the person to try "neville" and 
fail
and take the next step to try and inject the credentials.  On the other hand, 
you
want the descriptions to be correct.  I would be in favor of not giving the 
user the
"hint" regarding the password for "neville", but I don't feel that strong about 
it
one way or the other.

Original comment by mayhe...@gmail.com on 21 Jan 2009 at 4:25