<!DOCTYPE html> <html> <head> <title>User Agents</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="shortcut icon" type="image/png" href="/public/img/favicon.ico"> <link href="/public/css/authlab.css" rel="stylesheet" type="text/css" /> <meta property="og:title" content="Authentication Lab - DigiNinja" /> <meta property="og:description" content="A set of authentication challenges covering a range of different technologies." /> <meta property="og:image" content="https://digi.ninja/graphics/twittercards/authlab_twittercard.png" /> <meta property="og:type" content="website" /> <meta property="og:sitename" content="DigiNinja" /> <meta name="twitter:card" content="summary" /> <meta name="twitter:title" content="Authentication Lab - DigiNinja" /> <meta name="twitter:description" content="A set of authentication challenges covering a range of different technologies." /> <meta name="twitter:site" content="@digininja" /> <meta name="twitter:creator" content="@digininja" /> <meta name="twitter:domain" content="authlab.digi.ninja" /> <meta name="twitter:site" content="@digininja" /> <meta name="twitter:image" content="https://digi.ninja/graphics/twittercards/authlab_twittercard.png" /> </head> <body> <h1>User Agents</h1> <p> This challenge is similar to the <a href="/ClientSide">Client Side</a> challenge where the server assumes that the client can be trusted and bases its authentication decisions on what the client tells it. </p> <p> The developers have created a desktop and a web app to access the company database. The desktop app makes use of the same API as the web app but rather than using sessions, uses of the user agent string to identify itself as a valid application and gain access to the data. Download the following ping script used by the application, and from analysing it, access this page and view the secret information below. </p> <p> <a href="/public/scripts/useragentping.sh.gz">Download the User Agent Ping script</a>. </p> <p> If you get stuck, or want more information, see my <a href="https://digi.ninja/projects/authlab.php#landua">walkthrough</a>. </p> <h2>Not So Secret Agent</h2> <p>User not connecting from the desktop app so must log in here.</p> <form method="post" action="/UserAgent"> <label for="username">Username</label> <input type="text" id="username" name="username" value="" autofocus /><br /> <label for="password">Password</label> <input type="password" id="password" name="password" value="" /><br /> <input type="submit" value="Login" /> </form> <!-- For debug, the user agent supplied is: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 3.5.21022; .NET CLR 1.0.3705; .NET CLR 1.1.4322) --> <p> <a href="/">Back to home</a> </p> <hr /> <p> Lab created by Robin Wood - <a href="https://digi.ninja">DigiNinja</a> </p> </body> </html>