Skip to content

MissingFunctionAC Lesson 4 - Misleading hints #1424

New issue
New issue
Closed
#1579
Closed
MissingFunctionAC Lesson 4 - Misleading hints#1424
#1579
Assignees
aolle
Labels
4 - Donebugconveniencenon essential improvement which makes things more convenientenhancementwaiting for releaseIssue is fix, waiting on new release
Milestone
2023.5
@alexcolb

Description

@alexcolb
alexcolb
opened on Feb 21, 2023

Description of the problem

The hints for Lesson 4 of Missing Function Level Access Control are misleading and contradictory. Updating the hints would make the lesson more solvable, as described below.

access-control.hash.hint1 - access-control.hash.hint8

These hints are misleading, since they pertain to Lesson 3. Let's consider removing them from this lesson. Instead, the first hint could e.g. be:

Assume the admins' fixed user management is a RESTful endpoint. What other avenues, besides the type of request from the previous lesson, could you pursue?

This instructs the user to use a POST request instead.

access-control.hash.hint9

You also need to deliver a proper payload for the request (look at how registration works). This should be formatted in line with the content-type you just defined.

The problem here is that using the registration endpoint payload (username=newUser2&password=newUser12&matchingPassword=newUser12&agree=agree) to deduce the attack payload ({"username":"newUser2","password":"newUser12","admin": "true"}) is nontrivial. Suggested alternative:

You need to figure out a proper payload for the request. What kind of information does the response reveal, when you provide it with an empty payload in the content type you identified earlier?

This will instruct the user to send their POST request with the body {}, which in turn will respond with the following information and help the user to further develop their attack:

{
  "username" : null,
  "password" : null,
  "admin" : false
}

access-control.hash.hint11

OK, here it is. First, create an admin user ... Change the method to POST, change the content-type to "application/json". And your payload should look something like: {"username":"newUser2","password":"newUser12","admin": "true"}

This instructs the user to create a new user, contradicting a previous hint to use their current user. Suggested alternative:

Change the method to POST and the content-type to "application/json". Include something like this as the payload: {"username":"my-webgoat-user","password":"","admin": "true"}

access-control.hash.hint12

Now log in as that user and bring up WebGoat/users. Copy your hash and log back in to your original account and input it there to get credit.

Not sure what this is asking the user to do, as creating a new user via the endpoint doesn't allow us to log in with it. Suggested alternative:

Once you've escalated yourself to an admin, retry the GET request.

Metadata

Metadata

Assignees

Labels

4 - Donebugconveniencenon essential improvement which makes things more convenientenhancementwaiting for releaseIssue is fix, waiting on new release

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions