OWASP WEBGOAT: EXPLOIT UNCHECKED EMAIL
- Working with OWASP WebGoat v5.4:
- Going to Parameter Tampering -> Exploit Unchecked Email:
1) Cross Site Scripting
- Since the data in the "Questions or Comments" field is not sanitizied it is easy to inject an (XSS) attack:
- The result is a pop-up window :
- The message has been sent to the user admin:
2) Changing the email recipient
- Sending similar content as in the previous step in the "Questions or Comments" field:
- Intercepting with Tamper Data:
- Starting Tamper:
- Changing the email field from wegboat.admin@gmail.com to friend@gmail.com:
- Clicking Ok:
- The result is successful because now the destination is friend@owasp.org:
