From 055578893de35a9c5cad195d931286df30f802a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=80ngel=20Oll=C3=A9=20Bl=C3=A1zquez?= Date: Sun, 27 Aug 2023 01:43:47 +0200 Subject: [PATCH] feat: improve MFAC lesson hint texts for a better user experience (#1424) --- .../missingac/MissingFunctionACYourHashAdmin.java | 3 ++- .../lessons/missingac/i18n/WebGoatLabels.properties | 10 ++++++---- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHashAdmin.java b/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHashAdmin.java index 52f9dbcb4..8db5c5b7c 100644 --- a/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHashAdmin.java +++ b/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHashAdmin.java @@ -39,7 +39,8 @@ import org.springframework.web.bind.annotation.RestController; "access-control.hash.hint9", "access-control.hash.hint10", "access-control.hash.hint11", - "access-control.hash.hint12" + "access-control.hash.hint12", + "access-control.hash.hint13" }) public class MissingFunctionACYourHashAdmin extends AssignmentEndpoint { diff --git a/src/main/resources/lessons/missingac/i18n/WebGoatLabels.properties b/src/main/resources/lessons/missingac/i18n/WebGoatLabels.properties index f727c90ce..05fcb449d 100644 --- a/src/main/resources/lessons/missingac/i18n/WebGoatLabels.properties +++ b/src/main/resources/lessons/missingac/i18n/WebGoatLabels.properties @@ -16,10 +16,12 @@ access-control.hash.hint2=If you haven't found the hidden menus from the earlier access-control.hash.hint3=When you look at the users page, there is a hint that more info is viewable by a given role. access-control.hash.hint4=Have you tried tampering the GET request? Different content-types? access-control.hash.hint5=Modify the GET request to `/access-control/users` to include 'Content-Type: application/json' + access-control.hash.hint6=Now for the harder way ... it builds on the easier way access-control.hash.hint7=If the request to view users, were a 'service' or 'RESTful' endpoint, what would be different about it? access-control.hash.hint8=If you're still looking for hints ... try changing the Content-type header as in the GET request. -access-control.hash.hint9=You also need to deliver a proper payload for the request (look at how registration works). This should be formatted in line with the content-type you just defined. -access-control.hash.hint10=You will want to add your own username with an admin role. Yes, you'd have to guess/fuzz this in a real-world setting. -access-control.hash.hint11=OK, here it is. First, create an admin user ... Change the method to POST, change the content-type to "application/json". And your payload should look something like: {"username":"newUser2","password":"newUser12","admin": "true"} -access-control.hash.hint12=Now log in as that user and bring up WebGoat/users. Copy your hash and log back in to your original account and input it there to get credit. +access-control.hash.hint9=Assuming the administrators have fixed the user management as a RESTful endpoint, what alternative approaches, apart from the type of request discussed in the previous lesson, could you explore? +access-control.hash.hint10=To determine the correct payload for the request, it's essential to examine how the registration process operates. Ensure that the payload is properly formatted according to the content type you defined earlier. Additionally, consider what information the response reveals when you submit an empty payload using the previously identified content type. +access-control.hash.hint11=You will want to add your own username with an admin role. Yes, you'd have to guess/fuzz this in a real-world setting. +access-control.hash.hint12=Alright, let's proceed. To grant admin privileges to our current WebGoat user, change the method to POST and set the content-type to 'application/json'. Your payload should resemble something like this: {"username":"your-webgoat-user", "password":"", "admin": "true"}. Ensure that you are adding admin privileges to our current WebGoat user. +access-control.hash.hint13=Once you've escalated yourself to an admin, retry the GET request to '/access-control/users-admin-fix'.