Friday, April 6, 2018

OWASP WebGoat: Exploit Unchecked Email


- Working with OWASP WebGoat  v5.4:

- Going to Parameter Tampering -> Exploit Unchecked Email:

1) Cross Site Scripting

- Since the data in the "Questions or Comments" field is not sanitizied it is easy to inject an  (XSS) attack:

- The result is a pop-up window :

- The message has been sent to the user admin:

2) Changing the email recipient

- Sending similar content as in the previous step in the "Questions or Comments" field:

- Intercepting with Tamper Data:

- Starting Tamper:

- Changing the email field from to

- Clicking Ok:

- The result is successful because now the destination is