dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix layout assignment 2

Browse Source
This commit is contained in:
Nanne Baars 2021-11-02 14:01:17 +01:00 committed by Nanne Baars
parent bcaf4485c2
commit 2bd6b36210
5 changed files with 70 additions and 97 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACHiddenMenus.java
View File

@ -45,7 +45,6 @@ public class MissingFunctionACHiddenMenus extends AssignmentEndpoint {
@PostMapping(path = "/access-control/hidden-menu", produces = {"application/json"}) @PostMapping(path = "/access-control/hidden-menu", produces = {"application/json"})
@ResponseBody @ResponseBody
public AttackResult completed(String hiddenMenu1, String hiddenMenu2) { public AttackResult completed(String hiddenMenu1, String hiddenMenu2) {
//overly simple example for success. See other existing lesssons for ways to detect 'success' or 'failure'
if (hiddenMenu1.equals("Users") && hiddenMenu2.equals("Config")) { if (hiddenMenu1.equals("Users") && hiddenMenu2.equals("Config")) {
return success(this) return success(this)
.output("") .output("")

30
webgoat-lessons/missing-function-ac/src/main/resources/css/ac.css
View File

@ -1,30 +0,0 @@
.hidden-menu-item {
display:none;
visibility:hidden;
}
#ac-menu li {
list-style-type: none;
background-color: #aaa;
width: auto;
max-width: 20%;
}
#ac-menu li:hover {
color: white;
background-color: #333;
}
#ac-menu div {
margin-bottom: -60px;
margin-top: -10px;
}
#ac-menu h3 {
color:white;
background-color:#666;
}
#ac-menu-wrapper {
border-bottom: 2px solid #444;
}

124
webgoat-lessons/missing-function-ac/src/main/resources/html/MissingFunctionAC.html
View File

@ -1,82 +1,92 @@
<html xmlns:th="http://www.thymeleaf.org"> <html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:missing-function-ac-01-intro.adoc"></div> <div class="adoc-content" th:replace="doc:missing-function-ac-01-intro.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:missing-function-ac-02-client-controls.adoc"></div> <div class="adoc-content" th:replace="doc:missing-function-ac-02-client-controls.adoc"></div>
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/ac.css}"/>
<script th:src="@{/lesson_js/missing-function-ac.js}" > </script>
<div class="attack-container"> <div class="attack-container">
<div id="ac-menu-wrapper"> <nav class="navbar navbar-default">
<div id="ac-menu"> <div class="container-fluid">
<h3 class="menu-header">Account</h3>
<div class="menu-section"> <div class="navbar-header">
<ul> <a class="navbar-brand" href="#">WebGoat</a>
<li>My Profile</li> </div>
<li>Privacy/Security</li>
<li>Log Out</li> <div class="collapse navbar-collapse" id="alignment-example">
</ul>
</div> <!-- Links -->
<h3 class="menu-header">Messages</h3> <ul class="nav navbar-nav">
<div class="menu-section"> <li class="dropdown">
<ul> <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">Account<span class="caret"></span></a>
<li>Unread Messages (3)</li> <ul class="dropdown-menu" aria-labelledby="about-us">
<li>Compose Message</li> <li><a href="#">My Profile</a></li>
<li><a href="#">Privacy/Security</a></li>
<li><a href="#">Log Out</a></li>
</ul> </ul>
</div> </li>
<h3 class="hidden-menu-item menu-header">Admin</h3> <li class="dropdown">
<div class="menu-section hidden-menu-item"> <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">Messages<span class="caret"></span></a>
<ul> <ul class="dropdown-menu" aria-labelledby="messages">
<li><a href="#">Unread Messages (3)</a></li>
<li><a href="#">Compose Message</a></li>
</ul>
</li>
<li class="hidden-menu-item dropdown">
<a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">Admin<span class="caret"></span></a>
<ul class="dropdown-menu" aria-labelledby="admin">
<li><a href="/users">Users</a></li> <li><a href="/users">Users</a></li>
<li><a href="/config">Config</a></li> <li><a href="/config">Config</a></li>
</ul> </ul>
</div> </li>
</ul>
</div> </div>
</div> </div>
</nav>
<br/>
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/access-control/hidden-menu">
<p>Hidden item 1 <input name="hiddenMenu1" value="" type="TEXT"/></p>
<p>Hidden item 2 <input name="hiddenMenu2" value="" type="TEXT"/></p>
<br/> <br/>
<input name="submit" value="Submit" type="SUBMIT"/>
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> </form>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/access-control/hidden-menu">
<p>Hidden Item 1 <input name="hiddenMenu1" value="" type="TEXT" /></p>
<p>Hidden Item 2 <input name="hiddenMenu2" value="" type="TEXT" /></p>
<br/>
<input name="submit" value="Submit" type="SUBMIT"/>
</form>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div> </div>
<div class="lesson-page-wrapper"> </div>
<div class="adoc-content" th:replace="doc:missing-function-ac-03-users.adoc"></div> <div class="lesson-page-wrapper">
<div class="attack-container"> <div class="adoc-content" th:replace="doc:missing-function-ac-03-users.adoc"></div>
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/access-control/user-hash">
<p>Your Hash: <input name="userHash" value="" type="TEXT" /></p> <div class="attack-container">
<br/> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<input name="submit" value="Submit" type="SUBMIT"/> <form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/access-control/user-hash">
</form> <p>Your Hash: <input name="userHash" value="" type="TEXT"/></p>
<br/>
<input name="submit" value="Submit" type="SUBMIT"/>
<div class="attack-feedback"></div> </form>
<div class="attack-output"></div>
</div>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div> </div>
</div>
</html> </html>

6
webgoat-lessons/missing-function-ac/src/main/resources/js/missing-function-ac.js
View File

@ -1,6 +0,0 @@
webgoat.customjs.accessControlMenu = function() {
//webgoat.customjs.jquery('#ac-menu-ul').menu();
webgoat.customjs.jquery('#ac-menu').accordion();
}
webgoat.customjs.accessControlMenu();

6
webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-02-client-controls.adoc
View File

@ -1,9 +1,9 @@
== Relying on Obscurity == Relying on obscurity
One could rely on HTML, CSS, or javascript to hide links that users don't normally access. One could rely on HTML, CSS, or javascript to hide links that users don't normally access.
In the past, a network router tried to protect (hide) admin functionality with javascript in the UI: https://www.wired.com/2009/10/routers-still-vulnerable. In the past, a network router tried to protect (hide) admin functionality with javascript in the UI: https://www.wired.com/2009/10/routers-still-vulnerable.
=== Finding Hidden Items === Finding hidden items
There are usually hints to finding functionality the UI does not openly expose in: There are usually hints to finding functionality the UI does not openly expose in:
@ -11,6 +11,6 @@ There are usually hints to finding functionality the UI does not openly expose i
* Commented out elements * Commented out elements
* Items hidden via CSS controls/classes * Items hidden via CSS controls/classes
=== Your Mission === Your mission
Find two invisible menu items in the menu below that are or would be of interest to an attacker/malicious user and submit the labels for those menu items (there are no links right now in the menus). Find two invisible menu items in the menu below that are or would be of interest to an attacker/malicious user and submit the labels for those menu items (there are no links right now in the menus).