dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3536fd0b6daf61042d4f2cd2f2b354a1c219c311
WebGoat/webgoat-lessons/missing-function-ac/src/main/resources/i18n/WebGoatLabels.properties
Jason 1734170e9e updates to missing function ac lesson
2018-06-04 16:53:13 -06:00

26 lines
2.6 KiB
INI
Raw Blame History

missing-function-access-control.title=Missing Function Level Access Control
access-control.hidden-menus.success=Correct! And not hard to find are they?!? One of these urls will be helpful in the next lab.
access-control.hidden-menus.close=Close. Remember that when hacking ... details such as order,case and the like matter.
access-control.hidden-menus.failure=Please try again.
access-control.hidden-menus.hint1=You can inspect the DOM or review the source in the proxy request/response cycle.
access-control.hidden-menus.hint2=Look for indications of something that would not be available to a typical user
access-control.hidden-menus.hint3=Look for something a super-user or administator might have available to them
access-control.hash.success=Congrats! You really succeeded when you added the user.
access-control.hash.close=Keep trying, this one may take several attempts & steps to achieve. See the hints for help.
access-control.hash.hint1=There is an easier way and a 'harder' way to achieve this, the easier way involves one simple change in a GET request.
access-control.hash.hint2= If you haven't found the hidden menus from the earlier exercise, go do that first.
access-control.hash.hint3=When you look at the users page, there is a hint that more info is viewable by a given role.
access-control.hash.hint4=For the easy way, have you tried tampering the GET request? Different content-types?
access-control.hash.hint5=For the 'easy' way, modify the GET request to /users to include 'Content-Type: application/json'
access-control.hash.hint6=Now for the harder way ... it builds on the easier way
access-control.hash.hint7=If the request to view users, were a 'service' or 'RESTful' endpoint, what would be different about it?
access-control.hash.hint8=If you're still looking for hints ... try changing the Content-type header as in the GET request.
access-control.hash.hint9=You also need to deliver a proper payload for the request (look at how registration works). This should be formatted in line with the content-type you just defined.
access-control.hash.hint10=You will want to add WEBGOAT_ADMIN for the user's role. Yes, you'd have to guess/fuzz this in a real-world setting.
access-control.hash.hint11=OK, here it is. First, create an admin user ... Change the method to POST, change the content-type to "application/json". And your payload should look something like: {"username":"newUser2","password":"newUser12","matchingPassword":"newUser12","role":"WEBGOAT_ADMIN"}
access-control.hash.hint12=Now log in as that user and bring up WebGoat/users. Copy your hash and log back in to your original account and input it there to get credit.
Reference in New Issue View Git Blame Copy Permalink