WebGoat Missing Function Level Access Control 2
The lesson is about finding functionalities that are somehow unavailable/commented out/hidden by means of HTML/CSS/JS, this calls for <insert fav browser> dev inspection tool
The first hidden thing is the submenu for “Messages”, here I have removed “display: none” from the style attribute and added some margin to both the <h3> tag and the <div> to have a better look at it
Right after the “Messages” menu, there is an “Admin” menu with submenu entries “Users” and “Config”, these are normally hidden by a css class “hidden-menu-item”, meanwhile its submenus are hidden by a css style=”display:none;” as well, additionally there is an “aria-hidden” attribute but it seems non relevant in terms of displaying elements
After some css editing it is possible to see the “Admin” menu and its submenus, just as before the menu is easier to read by adding some css margin
Of all the links now displayed, the juiciest ones seem to be “Users” and “Config” from the “Admin” menu, input these in the two text fields below and the lesson is completed
WebGoat Missing Function Level Access Control 3
Right, this lesson is about understanding how WebGoat handles user data in order to recover an hash value linked to our user account
From the previous lesson we know that there are two endpoints that are supposed to be hidden from a non-admin user
- /users
- /config
Let’s see what happen by going to them directly from the browser
The /users endpoint seems not working, it returns a status code 500 and the exception says that there is a thymeleaf template file missing, by searching online it seems that WebGoat had a list_users.html template that showed the number of registered users, this template file is not in WebGoat 8.1.0 anymore, nevermind
The /config endpoint return status code 404
At this point I started looking at some hints
The hints are really helpful, this one says that for the ‘easy’ solution the user should try changing the “Content-Type” header in the GET request
The original request does not have any “Content-Type” set, so let’s try to force some of them by using Burp Repeater
After some trial and error (xml,text,html) WebGoat responds meaningfully by setting “Content-Type: application/json”, the ‘easy’ solution for the lesson is found
Now for the ‘hard’ solution: after a lot of searching and reading about this lesson, I understand that, without the “list_users.html” template, the lesson cannot be solved in the hard way: that endpoint/template should list the users and their relative hash only to admin users when accessed via web, and because of this it is important to create an admin user that can access that endpoint with its full functionality. As of WebGoat version 8.1.0 I understand that, even though it is possible to create an admin user by crafting a POST request to the /users endpoint, the admin cannot list the users and their hashes by going to the /users endpoint, so the hard way is somewhat limited at the moment.
By the way, if you want to create an admin user, just follow the hints to the end and you will be given the way to get yourself an admin user, maybe it will be useful in a later lesson.
I think I will try to add the template from an old WebGoat version and see what shows, but, for the time being, this lesson is completed.
Here you can find an old version of list_users.html
This concludes WebGoat Missing Function Level Access Control 2 3
I hope you liked it.
PVXs — https://twitter.com/pivixih
