Ensure Burp and OWASP BWA VM are running and that Burp is configured in the Firefox browser used to view the OWASP BWA applications.
- From the OWASP BWA Landing page, click the link to the OWASP Mutillidae II application.
- Open the Firefox browser to the login screen of OWASP Mutillidae II. From the top menu, click Login.
- At the login screen, log in with these credentials—username: john and password: monkey.
- Switch to Burp's Proxy | HTTP history tab. Find the POST and subsequent GET requests you just made by logging in as john:
- Look at the GET request from the listing; notice the cookie name/value pairs shown on the Cookie: line.
The name/value pairs of most interest include username=john and uid=3. What if we attempt to manipulate these values to a different role?
- Let's attempt to manipulate the parameters username and the uid stored in the cookie to a different role. We will use Burp's Proxy | Intercept to help us perform this attack.
- Switch to the Proxy | Intercept tab, and press the Intercept is on button. Return to the Firefox browser and reload the login page.
- The request is paused within the Proxy | Intercept tab. While it is paused, change the value assigned to the username from john to admin. Also, change the value assigned to the uid from 3 to 1:
- Click the Forward button, and press the Intercept is on again to toggle the intercept button to OFF (Intercept is off).
- Return to the Firefox browser, and notice we are now logged in as an admin! We were able to escalate our privileges from a regular user to an admin, since the developer did not perform any authorization checks on the assigned role: