dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

missing function level ac working again ... after VM implosion

Browse Source
This commit is contained in:
Jason White
2017-08-08 17:15:20 -06:00
parent 8df1d53471
commit b41751a55c
11 changed files with 269 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
webgoat-lessons/missing-function-ac/src/main/resources/i18n/WebGoatLabels.properties
View File

@ -6,4 +6,17 @@ access-control.hidden-menus.failure=Please try again.
access-control.hidden-menus.hint1=You can inspect the DOM or review the source in the proxy request/response cycle.
access-control.hidden-menus.hint2=Look for indications of something that would not be available to a typical user
access-control.hidden-menus.hint3=Look for something a super-user or administator might have available to them
access-control.hidden-menus.hint3=Look for something a super-user or administator might have available to them
access-control.hash.success=Congrats! You really succeeded when you added the user.
access-control.hash.close=Keep trying, this one may take several attempts & steps to achieve. See the hints for help.
access-control.hash.hint1=If you haven't found the hidden menus from the earlier exercise, go do that now.
access-control.hash.hint2=When you look at the users page, there is a hint that more info is viewable by a given role of user.
access-control.hash.hint3=Have you tried tampering the GET request? Can you find supported or unsupported methods? Can you trigger 500 errors?
access-control.hash.hint4=There are actually two ways to solve this one. The first involves just changing a request header.
access-control.hash.hint5=If the request to view users, were a 'service' or 'RESTful' endpoint, what would be different about it?
access-control.hash.hint6=If you're still looking for hints ... try changing the Content-type header in the GET request.
access-control.hash.hint7=The harder way involves changing the Content-type AND the method ... As well as a proper payload for the request. Look at how registration works first and extrapolate out from there.
access-control.hash.hint8=See if you can add a user with a webgoat admin role, and if more is visible once you log in as that user.
access-control.hash.hint9=If you create a new user with the admin role ... The role should include 'WEBGOAT' and 'ADMIN' in the role name. You'll have to do some guessing beyond that.