feat: improve MFAC lesson hint texts for a better user experience (#1424)
This commit is contained in:
Àngel Ollé Blázquez
parent
b89ebd70ad
commit
055578893d
@ -39,7 +39,8 @@ import org.springframework.web.bind.annotation.RestController;
|
||||
"access-control.hash.hint9",
|
||||
"access-control.hash.hint10",
|
||||
"access-control.hash.hint11",
|
||||
"access-control.hash.hint12"
|
||||
"access-control.hash.hint12",
|
||||
"access-control.hash.hint13"
|
||||
})
|
||||
public class MissingFunctionACYourHashAdmin extends AssignmentEndpoint {
|
||||
|
||||
|
||||
@ -16,10 +16,12 @@ access-control.hash.hint2=If you haven't found the hidden menus from the earlier
|
||||
access-control.hash.hint3=When you look at the users page, there is a hint that more info is viewable by a given role.
|
||||
access-control.hash.hint4=Have you tried tampering the GET request? Different content-types?
|
||||
access-control.hash.hint5=Modify the GET request to `/access-control/users` to include 'Content-Type: application/json'
|
||||
|
||||
access-control.hash.hint6=Now for the harder way ... it builds on the easier way
|
||||
access-control.hash.hint7=If the request to view users, were a 'service' or 'RESTful' endpoint, what would be different about it?
|
||||
access-control.hash.hint8=If you're still looking for hints ... try changing the Content-type header as in the GET request.
|
||||
access-control.hash.hint9=You also need to deliver a proper payload for the request (look at how registration works). This should be formatted in line with the content-type you just defined.
|
||||
access-control.hash.hint10=You will want to add your own username with an admin role. Yes, you'd have to guess/fuzz this in a real-world setting.
|
||||
access-control.hash.hint11=OK, here it is. First, create an admin user ... Change the method to POST, change the content-type to "application/json". And your payload should look something like: {"username":"newUser2","password":"newUser12","admin": "true"}
|
||||
access-control.hash.hint12=Now log in as that user and bring up WebGoat/users. Copy your hash and log back in to your original account and input it there to get credit.
|
||||
access-control.hash.hint9=Assuming the administrators have fixed the user management as a RESTful endpoint, what alternative approaches, apart from the type of request discussed in the previous lesson, could you explore?
|
||||
access-control.hash.hint10=To determine the correct payload for the request, it's essential to examine how the registration process operates. Ensure that the payload is properly formatted according to the content type you defined earlier. Additionally, consider what information the response reveals when you submit an empty payload using the previously identified content type.
|
||||
access-control.hash.hint11=You will want to add your own username with an admin role. Yes, you'd have to guess/fuzz this in a real-world setting.
|
||||
access-control.hash.hint12=Alright, let's proceed. To grant admin privileges to our current WebGoat user, change the method to POST and set the content-type to 'application/json'. Your payload should resemble something like this: {"username":"your-webgoat-user", "password":"", "admin": "true"}. Ensure that you are adding admin privileges to our current WebGoat user.
|
||||
access-control.hash.hint13=Once you've escalated yourself to an admin, retry the GET request to '/access-control/users-admin-fix'.
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user