diff --git a/webgoat-container/src/main/resources/templates/list_users.html b/webgoat-container/src/main/resources/templates/list_users.html index 5e2b3045b..050c85dc7 100644 --- a/webgoat-container/src/main/resources/templates/list_users.html +++ b/webgoat-container/src/main/resources/templates/list_users.html @@ -123,8 +123,9 @@
- Users in WebGoat - su + + Users in WebGoat +

WebGoat Users

diff --git a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/MissingFunctionACYourHash.java b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/MissingFunctionACYourHash.java index 97770e635..d830ac7a1 100644 --- a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/MissingFunctionACYourHash.java +++ b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/MissingFunctionACYourHash.java @@ -13,7 +13,7 @@ import org.springframework.web.bind.annotation.ResponseBody; @AssignmentPath("/access-control/user-hash") @AssignmentHints({"access-control.hash.hint1","access-control.hash.hint2","access-control.hash.hint3", "access-control.hash.hint4","access-control.hash.hint5","access-control.hash.hint6","access-control.hash.hint7", - "access-control.hash.hint8","access-control.hash.hint9"}) + "access-control.hash.hint8","access-control.hash.hint9","access-control.hash.hint10","access-control.hash.hint11","access-control.hash.hint12"}) public class MissingFunctionACYourHash extends AssignmentEndpoint { @Autowired diff --git a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/Users.java b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/Users.java index 26e48709d..9b01ac3d5 100644 --- a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/Users.java +++ b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/Users.java @@ -51,7 +51,7 @@ public class Users extends Endpoint{ userMap.put("cc", results.getString(3)); userMap.put("ccType", results.getString(4)); userMap.put("cookie", results.getString(5)); - userMap.put("loginCOunt",Integer.toString(results.getInt(6))); + userMap.put("loginCount",Integer.toString(results.getInt(6))); allUsersMap.put(id,userMap); } userSessionData.setValue("allUsers",allUsersMap); diff --git a/webgoat-lessons/missing-function-ac/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/missing-function-ac/src/main/resources/i18n/WebGoatLabels.properties index 876cff6de..4533fe073 100644 --- a/webgoat-lessons/missing-function-ac/src/main/resources/i18n/WebGoatLabels.properties +++ b/webgoat-lessons/missing-function-ac/src/main/resources/i18n/WebGoatLabels.properties @@ -11,12 +11,15 @@ access-control.hidden-menus.hint3=Look for something a super-user or administato access-control.hash.success=Congrats! You really succeeded when you added the user. access-control.hash.close=Keep trying, this one may take several attempts & steps to achieve. See the hints for help. -access-control.hash.hint1=If you haven't found the hidden menus from the earlier exercise, go do that now. -access-control.hash.hint2=When you look at the users page, there is a hint that more info is viewable by a given role of user. -access-control.hash.hint3=Have you tried tampering the GET request? Can you find supported or unsupported methods? Can you trigger 500 errors? -access-control.hash.hint4=There are actually two ways to solve this one. The first involves just changing a request header. -access-control.hash.hint5=If the request to view users, were a 'service' or 'RESTful' endpoint, what would be different about it? -access-control.hash.hint6=If you're still looking for hints ... try changing the Content-type header in the GET request. -access-control.hash.hint7=The harder way involves changing the Content-type AND the method ... As well as a proper payload for the request. Look at how registration works first and extrapolate out from there. -access-control.hash.hint8=See if you can add a user with a webgoat admin role, and if more is visible once you log in as that user. -access-control.hash.hint9=If you create a new user with the admin role ... The role should include 'WEBGOAT' and 'ADMIN' in the role name. You'll have to do some guessing beyond that. \ No newline at end of file +access-control.hash.hint1=There is an easier way and a 'harder' way to achieve this, the easier way involves one simple change in a GET request. +access-control.hash.hint2= If you haven't found the hidden menus from the earlier exercise, go do that first. +access-control.hash.hint3=When you look at the users page, there is a hint that more info is viewable by a given role. +access-control.hash.hint4=For the easy way, have you tried tampering the GET request? Different content-types? +access-control.hash.hint5=For the 'easy' way, modify the GET request to /users to include 'Content-Type: application/json' +access-control.hash.hint6=Now for the harder way ... it builds on the easier way +access-control.hash.hint7=If the request to view users, were a 'service' or 'RESTful' endpoint, what would be different about it? +access-control.hash.hint8=If you're still looking for hints ... try changing the Content-type header as in the GET request. +access-control.hash.hint9=You also need to deliver a proper payload for the request (look at how registration works). This should be formatted in line with the content-type you just defined. +access-control.hash.hint10=You will want to add WEBGOAT_ADMIN for the user's role. Yes, you'd have to guess/fuzz this in a real-world setting. +access-control.hash.hint11=OK, here it is. First, create an admin user ... Change the method to POST, change the content-type to "application/json". And your payload should look something like: {"username":"newUser2","password":"newUser12","matchingPassword":"newUser12","role":"WEBGOAT_ADMIN"} +access-control.hash.hint12=Now log in as that user and bring up WebGoat/users. Copy your hash and log back in to your original account and input it there to get credit.