start of missing function ac lesson

webgoat-lessons/missing-function-ac/src/main/resources/html/MissingFunctionAC.html

@@ -0,0 +1,81 @@
+<html xmlns:th="http://www.thymeleaf.org">
+
+    <div class="lesson-page-wrapper">
+        <div class="adoc-content" th:replace="doc:missing-function-ac-01-intro.adoc"></div>
+    </div>
+
+    <div class="lesson-page-wrapper">
+        <div class="adoc-content" th:replace="doc:missing-function-ac-02-client-controls.adoc"></div>
+
+        <script th:src="@{/lesson_js/missing-function-ac.js}" > </script>
+
+        <div class="attack-container">
+            <div id="ac-menu-wrapper">
+                <div id="ac-menu">
+                    <h3 class="menu-header">Account</h3>
+                    <div class="menu-section">
+                        <ul>
+                            <li>My Profile</li>
+                            <li>Privacy/Security</li>
+                            <li>Log Out</li>
+                        </ul>
+                    </div>
+                    <h3 class="menu-header">Messages</h3>
+                        <div class="menu-section">
+                            <ul>
+                                <li>Unread Messages (3)</li>
+                                <li>Compose Message</li>
+                            </ul>
+                        </div>
+                    <h3 class="hidden-menu-item menu-header">Admin</h3>
+                        <div class="menu-section hidden-menu-item">
+                            <ul>
+                                <li>List Users</li>
+                                <li>Add User</li>
+                            </ul>
+                        </div>
+                </div>
+            </div>
+
+            <br/>
+
+            <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+            <form class="attack-form" accept-charset="UNKNOWN"
+                  method="POST" name="form"
+                  action="/WebGoat/access-control/hidden-menu">
+
+                <p>Hidden Item 1 <input name="hiddenMenu1" value="" type="TEXT" /></p>
+                <p>Hidden Item 2 <input name="hiddenMenu2" value="" type="TEXT" /></p>
+                <br/>
+                <input name="submit" value="Submit" type="SUBMIT"/>
+
+            </form>
+
+            <div class="attack-feedback"></div>
+            <div class="attack-output"></div>
+        </div>
+
+    </div>
+
+    <!--<div class="lesson-page-wrapper">-->
+        <!--<div class="adoc-content" th:replace="doc:missing-function-ac-03-list-users.adoc"></div>-->
+
+        <!--<div class="attack-container">-->
+            <!--<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>-->
+            <!--<form class="attack-form" accept-charset="UNKNOWN"-->
+                  <!--method="POST" name="form"-->
+                  <!--action="/WebGoat/access-control/user-info">-->
+
+                <!--<p>CC Number: <input name="ccNum" value="" type="TEXT" /></p>-->
+                <!--<br/>-->
+                <!--<input name="submit" value="Submit" type="SUBMIT"/>-->
+
+            <!--</form>-->
+
+            <!--<div class="attack-feedback"></div>-->
+            <!--<div class="attack-output"></div>-->
+        <!--</div>-->
+
+    <!--</div>-->
+
+</html>

webgoat-lessons/missing-function-ac/src/main/resources/i18n/WebGoatLabels.properties

@@ -0,0 +1,9 @@
+missing-function-access-control.title=Missing Function Level Access Control
+
+access-control.hidden-menus.success=Correct! And not hard to find are they?!? For the next lab, note that the endpoints are at /WebGoat/access-control/list-users and /WebGoat/access-control/add-user
+access-control.hidden-menus.close=Close. Remember that when hacking ... details such as order,case and the like matter.
+access-control.hidden-menus.failure=Please try again.
+
+access-control.hidden-menus.hint1=You can inspect the DOM or review the source in the proxy request/response cycle.
+access-control.hidden-menus.hint2=Look for indications of something that would not be available to a typical user
+access-control.hidden-menus.hint3=Look for something a super-user or administator might have available to them

webgoat-lessons/missing-function-ac/src/main/resources/js/missing-function-ac.js

@@ -0,0 +1,6 @@
+webgoat.customjs.accessControlMenu = function() {
+    //webgoat.customjs.jquery('#ac-menu-ul').menu();
+    webgoat.customjs.jquery('#ac-menu').accordion();
+}
+
+webgoat.customjs.accessControlMenu();

webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-01-intro.adoc

@@ -0,0 +1,9 @@
+== Missing Function Level Access Control
+
+Access control, like output encoding XSS can be tricky to maintain and ensure it is enforced properly throughout an application, including at each method/function.
+
+=== IDOR vs Missing Function Level Access Control
+
+The fact is many people (including the author of this lesson) would lump function level access control and IDOR into 'Access Control'. For sake of OWASP, Top 10 and these lessons, we will make a
+distinction. The distinction most make is that IDOR is more of a 'horizontal' or 'lateral' access control issue, and missing function level access control 'exposes functionality'. Even though,
+the IDOR lesson here demonstrates how functionality may also be exposed, (at least to another user in the same role), we will look at other ways functionality might be exposed.

webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-02-client-controls.adoc

@@ -0,0 +1,16 @@
+== Relying on Obscurity
+
+If you are relying on HTML, CSS or javascript to hide links that users don't normally access.
+It's a little older, but there was a case of a network router trying to protect (hide) admin functions with javascript in the UI https://www.wired.com/2009/10/routers-still-vulnerable
+
+=== Finding Hidden Items
+
+There are usually hints to finding functionality the UI does not openly expose in ...
+
+* HTML or javascript comments
+* Commented out elements
+* Items hidden via css controls/classes
+
+=== Your Mission
+
+Find two menu items not visible in menu below that are or would be of interest to an attacker/malicious user and put the labels for those menu items (there are no links right now in the menus).

webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-03-list-users.adoc

@@ -0,0 +1,10 @@
+== Just Try It
+
+As the previous page noted, sometimes apps rely on client controls. to control access (obscurity). If you can find items that don't have visible links, just try them, see what happens. Yes, it
+can be that simple!
+
+=== Gathering User Info
+
+Often times, data dumps from vulnerabilities such as sql injection, but they can also come from poor or lacking access control.  Use the info. you already gathered to pull the list of users and
+then provide the CC# for Chaos Monkey.
+