I've recently installed WebGoat 8.00M12 on my computer and I tried to solve the "Access Control" section for a demonstration in my class.
Everything was simple and smooth till I got stuck at the last point in "Missing function level access control lesson" subsection, and I got stuck there for 2 full days now. Can anyone help me, please?
The question is this:
Note: the previous page contained 2 CSS hidden hyperlinks (/users and /config) that doesn't work when i click on them or try them (These are supposedly only available for the admin)
What I have done:
- Using burp suite to spider the web application the intended directories where not found.
- Tried many combinations like (show-users users list-users display-users) on many directories but just couldn't find the "users page" they talked about in the hints, but I did found some useless page at /WebGoat/users which contained only "su 1" just FYI.
Helpful notes:
- The WebApplication runs a RESTful structure.
- It runs on Java (I tried reading the source code on github but didn't understand anything).
- Download WebGoat v8.0 (if you care) Here