missing function level ac working again ... after VM implosion

webgoat-lessons/missing-function-ac/src/main/resources/html/MissingFunctionAC.html

@@ -30,8 +30,8 @@
                     <h3 class="hidden-menu-item menu-header">Admin</h3>
                         <div class="menu-section hidden-menu-item">
                             <ul>
-                                <li>List Users</li>
-                                <li>Add User</li>
+                                <li><a href="/users">Users</a></li>
+                                <li><a href="/config">Config</a></li>
                             </ul>
                         </div>
                 </div>
@@ -57,25 +57,26 @@
 
     </div>
 
-    <!--<div class="lesson-page-wrapper">-->
-        <!--<div class="adoc-content" th:replace="doc:missing-function-ac-03-list-users.adoc"></div>-->
+    <div class="lesson-page-wrapper">
 
-        <!--<div class="attack-container">-->
-            <!--<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>-->
-            <!--<form class="attack-form" accept-charset="UNKNOWN"-->
-                  <!--method="POST" name="form"-->
-                  <!--action="/WebGoat/access-control/user-info">-->
+        <div class="adoc-content" th:replace="doc:missing-function-ac-03-users.adoc"></div>
 
-                <!--<p>CC Number: <input name="ccNum" value="" type="TEXT" /></p>-->
-                <!--<br/>-->
-                <!--<input name="submit" value="Submit" type="SUBMIT"/>-->
+        <div class="attack-container">
+            <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+            <form class="attack-form" accept-charset="UNKNOWN"
+                  method="POST" name="form"
+                  action="/WebGoat/access-control/user-hash">
 
-            <!--</form>-->
+                <p>Your Hash: <input name="userHash" value="" type="TEXT" /></p>
+                <br/>
+                <input name="submit" value="Submit" type="SUBMIT"/>
 
-            <!--<div class="attack-feedback"></div>-->
-            <!--<div class="attack-output"></div>-->
-        <!--</div>-->
+            </form>
 
-    <!--</div>-->
+            <div class="attack-feedback"></div>
+            <div class="attack-output"></div>
+        </div>
+
+    </div>
 
 </html>

webgoat-lessons/missing-function-ac/src/main/resources/i18n/WebGoatLabels.properties

@@ -6,4 +6,17 @@ access-control.hidden-menus.failure=Please try again.
 
 access-control.hidden-menus.hint1=You can inspect the DOM or review the source in the proxy request/response cycle.
 access-control.hidden-menus.hint2=Look for indications of something that would not be available to a typical user
-access-control.hidden-menus.hint3=Look for something a super-user or administator might have available to them
+access-control.hidden-menus.hint3=Look for something a super-user or administator might have available to them
+
+access-control.hash.success=Congrats! You really succeeded when you added the user.
+access-control.hash.close=Keep trying, this one may take several attempts & steps to achieve. See the hints for help.
+
+access-control.hash.hint1=If you haven't found the hidden menus from the earlier exercise, go do that now.
+access-control.hash.hint2=When you look at the users page, there is a hint that more info is viewable by a given role of user. 
+access-control.hash.hint3=Have you tried tampering the GET request? Can you find supported or unsupported methods? Can you trigger 500 errors?
+access-control.hash.hint4=There are actually two ways to solve this one. The first involves just changing a request header.
+access-control.hash.hint5=If the request to view users, were a 'service' or 'RESTful' endpoint, what would be different about it?
+access-control.hash.hint6=If you're still looking for hints ... try changing the Content-type header in the GET request.
+access-control.hash.hint7=The harder way involves changing the Content-type AND the method ... As well as a proper payload for the request.  Look at how registration works first and extrapolate out from there.
+access-control.hash.hint8=See if you can add a user with a webgoat admin role, and if more is visible once you log in as that user.
+access-control.hash.hint9=If you create a new user with the admin role ... The role should include 'WEBGOAT' and 'ADMIN' in the role name. You'll have to do some guessing beyond that.

webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-03-list-users.adoc

@@ -1,10 +0,0 @@
-== Just Try It
-
-As the previous page noted, sometimes apps rely on client controls. to control access (obscurity). If you can find items that don't have visible links, just try them, see what happens. Yes, it
-can be that simple!
-
-=== Gathering User Info
-
-Often times, data dumps from vulnerabilities such as sql injection, but they can also come from poor or lacking access control.  Use the info. you already gathered to pull the list of users and
-then provide the CC# for Chaos Monkey.
-

webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-03-users.adoc

@@ -0,0 +1,10 @@
+== Just Try It
+
+As the previous page noted, sometimes apps rely on client controls. to control access (obscurity). If you can find items that don't have visible links, just try them, see what happens. Yes, it
+can be that simple!
+
+=== Gathering User Info
+
+Often times, data dumps from vulnerabilities such as sql injection, but they can also come from poor or lacking access control.
+
+It will likely take multiple steps and multiple attempts to get this one. Pay attention to the comments, leaked info. and you'll need to guess some.  You may need to use another browser/account along the way.  Start with the info. you already gathered (hidden menu items) to see if you can pull the list of users and then provide the 'Hash' for your own user account.