dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Renamed to missingac

Browse Source
This commit is contained in:
Àngel Ollé Blázquez
2022-07-30 19:56:43 +02:00
parent e0a0a80ad9
commit 4f911c64a1
21 changed files with 36 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/main/resources/lessons/missingac/css/ac.css Normal file
View File

@ -0,0 +1,4 @@
.hidden-menu-item {
display:none;
visibility:hidden;
}

9
src/main/resources/lessons/missingac/db/migration/V2021_11_03_1__ac.sql Normal file
View File

@ -0,0 +1,9 @@
CREATE TABLE access_control_users(
username varchar(40),
password varchar(40),
admin boolean
);
INSERT INTO access_control_users VALUES ('Tom', 'qwertyqwerty1234', false);
INSERT INTO access_control_users VALUES ('Jerry', 'doesnotreallymatter', true);
INSERT INTO access_control_users VALUES ('Sylvester', 'testtesttest', false);

9
src/main/resources/lessons/missingac/documentation/missing-function-ac-01-intro.adoc Normal file
View File

@ -0,0 +1,9 @@
== Missing Function Level Access Control
Access control, like preventing XSS with output encoding, can be tricky to maintain. One must ensure it is adequately enforced throughout the entire application, thus in every method/function.
=== IDOR vs Missing Function Level Access Control
The fact is many people (including the author of this lesson) would combine function level access control and IDOR into 'Access Control.' For the sake of OWASP Top 10 and these lessons, we will make a
distinction. The distinction most made is that IDOR is more of a 'horizontal' or 'lateral' access control issue, and missing function level access control 'exposes functionality.' Even though
the IDOR lesson here demonstrates how functionality may also be exposed (at least to another user in the same role), we will look at other ways functionality might be exposed.

16
src/main/resources/lessons/missingac/documentation/missing-function-ac-02-client-controls.adoc Normal file
View File

@ -0,0 +1,16 @@
== Relying on obscurity
One could rely on HTML, CSS, or javascript to hide links that users don't normally access.
In the past, a network router tried to protect (hide) admin functionality with javascript in the UI: https://www.wired.com/2009/10/routers-still-vulnerable.
=== Finding hidden items
There are usually hints to finding functionality the UI does not openly expose in:
* HTML or javascript comments
* Commented out elements
* Items hidden via CSS controls/classes
=== Your mission
Find two invisible menu items in the menu below that are or would be of interest to an attacker/malicious user and submit the labels for those menu items (there are no links right now in the menus).

15
src/main/resources/lessons/missingac/documentation/missing-function-ac-03-users.adoc Normal file
View File

@ -0,0 +1,15 @@
== Try it
As the previous page described, sometimes applications rely on client-side controls to control access (obscurity). If you can find invisible items, try them and see what happens. Yes, it can be that simple!
=== Gathering User Info
Often data dumps originate from vulnerabilities such as SQL injection, but they can also come from poor or lacking access control.
It will likely take multiple steps and multiple attempts to get this one:
- Pay attention to the comments and leaked info.
- You'll need to do some guessing too.
- You may need to use another browser/account along the way.
Start with the information you already gathered (hidden menu items) to see if you can pull the list of users and then provide the 'hash' for Jerry's account.

5
src/main/resources/lessons/missingac/documentation/missing-function-ac-04-users-fixed.adoc Normal file
View File

@ -0,0 +1,5 @@
== The company fixed the problem, right?
The company found out the endpoint was a bit too open, they made an emergency fixed and not only admin users can list all users.
Start with the information you already gathered (hidden menu items) to see if you can pull the list of users and then provide the 'hash' for Jerry's account.

115
src/main/resources/lessons/missingac/html/MissingFunctionAC.html Normal file
View File

@ -0,0 +1,115 @@
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/missingac/documentation/missing-function-ac-01-intro.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/ac.css}"/>
<div class="adoc-content" th:replace="doc:lessons/missingac/documentation/missing-function-ac-02-client-controls.adoc"></div>
<div class="attack-container">
<nav class="navbar navbar-default">
<div class="container-fluid">
<div class="navbar-header">
<a class="navbar-brand" href="#">WebGoat</a>
</div>
<div class="collapse navbar-collapse" id="alignment-example">
<ul class="nav navbar-nav">
<li class="dropdown">
<a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">Account<span class="caret"></span></a>
<ul class="dropdown-menu" aria-labelledby="about-us">
<li><a href="#">My Profile</a></li>
<li><a href="#">Privacy/Security</a></li>
<li><a href="#">Log Out</a></li>
</ul>
</li>
<li class="dropdown">
<a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">Messages<span class="caret"></span></a>
<ul class="dropdown-menu" aria-labelledby="messages">
<li><a href="#">Unread Messages (3)</a></li>
<li><a href="#">Compose Message</a></li>
</ul>
</li>
<li class="hidden-menu-item dropdown">
<a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">Admin<span class="caret"></span></a>
<ul class="dropdown-menu" aria-labelledby="admin">
<li><a href="/access-control/users">Users</a></li>
<li><a href="/access-control/users-admin-fix">Users</a></li>
<li><a href="/access-control/config">Config</a></li>
</ul>
</li>
</ul>
</div>
</div>
</nav>
<br/>
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/access-control/hidden-menu">
<p>Hidden item 1 <input name="hiddenMenu1" value="" type="TEXT"/></p>
<p>Hidden item 2 <input name="hiddenMenu2" value="" type="TEXT"/></p>
<br/>
<input name="submit" value="Submit" type="SUBMIT"/>
</form>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/missingac/documentation/missing-function-ac-03-users.adoc"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/access-control/user-hash">
<p>Your Hash: <input name="userHash" value="" type="TEXT"/></p>
<br/>
<input name="submit" value="Submit" type="SUBMIT"/>
</form>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/missingac/documentation/missing-function-ac-04-users-fixed.adoc"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/access-control/user-hash-fix">
<p>Your Hash: <input name="userHash" value="" type="TEXT"/></p>
<br/>
<input name="submit" value="Submit" type="SUBMIT"/>
</form>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
</html>

25
src/main/resources/lessons/missingac/i18n/WebGoatLabels.properties Normal file
View File

@ -0,0 +1,25 @@
missing-function-access-control.title=Missing Function Level Access Control
access-control.hidden-menus.success=Correct! And not hard to find are they?!? One of these urls will be helpful in the next lab.
access-control.hidden-menus.close=Close. Remember that when hacking ... details such as order,case and the like matter.
access-control.hidden-menus.failure=Please try again.
access-control.hidden-menus.hint1=You can inspect the DOM or review the source in the proxy request/response cycle.
access-control.hidden-menus.hint2=Look for indications of something that would not be available to a typical user
access-control.hidden-menus.hint3=Look for something a super-user or administator might have available to them
access-control.hash.success=Congrats! You really succeeded when you added the user.
access-control.hash.close=Keep trying, this one may take several attempts & steps to achieve. See the hints for help.
access-control.hash.hint1=This assignment involves one simple change in a GET request.
access-control.hash.hint2=If you haven't found the hidden menus from the earlier exercise, go do that first.
access-control.hash.hint3=When you look at the users page, there is a hint that more info is viewable by a given role.
access-control.hash.hint4=Have you tried tampering the GET request? Different content-types?
access-control.hash.hint5=Modify the GET request to `/access-control/users` to include 'Content-Type: application/json'
access-control.hash.hint6=Now for the harder way ... it builds on the easier way
access-control.hash.hint7=If the request to view users, were a 'service' or 'RESTful' endpoint, what would be different about it?
access-control.hash.hint8=If you're still looking for hints ... try changing the Content-type header as in the GET request.
access-control.hash.hint9=You also need to deliver a proper payload for the request (look at how registration works). This should be formatted in line with the content-type you just defined.
access-control.hash.hint10=You will want to add your own username with an admin role. Yes, you'd have to guess/fuzz this in a real-world setting.
access-control.hash.hint11=OK, here it is. First, create an admin user ... Change the method to POST, change the content-type to "application/json". And your payload should look something like: {"username":"newUser2","password":"newUser12","admin": "true"}
access-control.hash.hint12=Now log in as that user and bring up WebGoat/users. Copy your hash and log back in to your original account and input it there to get credit.