Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MissingFunctionAC Lesson 4 - Misleading hints #1424

Closed
alexcolb opened this issue Feb 21, 2023 · 5 comments · Fixed by #1579
Closed

MissingFunctionAC Lesson 4 - Misleading hints #1424

alexcolb opened this issue Feb 21, 2023 · 5 comments · Fixed by #1579
Assignees
@aolle
Labels
4 - Done bug convenience non essential improvement which makes things more convenient enhancement waiting for release Issue is fix, waiting on new release
Milestone
2023.5

Comments

@alexcolb
Copy link

Description of the problem

The hints for Lesson 4 of Missing Function Level Access Control are misleading and contradictory. Updating the hints would make the lesson more solvable, as described below.

access-control.hash.hint1 - access-control.hash.hint8

These hints are misleading, since they pertain to Lesson 3. Let's consider removing them from this lesson. Instead, the first hint could e.g. be:

Assume the admins' fixed user management is a RESTful endpoint. What other avenues, besides the type of request from the previous lesson, could you pursue?

This instructs the user to use a POST request instead.

access-control.hash.hint9

You also need to deliver a proper payload for the request (look at how registration works). This should be formatted in line with the content-type you just defined.

The problem here is that using the registration endpoint payload (username=newUser2&password=newUser12&matchingPassword=newUser12&agree=agree) to deduce the attack payload ({"username":"newUser2","password":"newUser12","admin": "true"}) is nontrivial. Suggested alternative:

You need to figure out a proper payload for the request. What kind of information does the response reveal, when you provide it with an empty payload in the content type you identified earlier?

This will instruct the user to send their POST request with the body {}, which in turn will respond with the following information and help the user to further develop their attack:

{
  "username" : null,
  "password" : null,
  "admin" : false
}

access-control.hash.hint11

OK, here it is. First, create an admin user ... Change the method to POST, change the content-type to "application/json". And your payload should look something like: {"username":"newUser2","password":"newUser12","admin": "true"}

This instructs the user to create a new user, contradicting a previous hint to use their current user. Suggested alternative:

Change the method to POST and the content-type to "application/json". Include something like this as the payload: {"username":"my-webgoat-user","password":"","admin": "true"}

access-control.hash.hint12

Now log in as that user and bring up WebGoat/users. Copy your hash and log back in to your original account and input it there to get credit.

Not sure what this is asking the user to do, as creating a new user via the endpoint doesn't allow us to log in with it. Suggested alternative:

Once you've escalated yourself to an admin, retry the GET request.
@github-actions
Copy link

Thanks for submitting your first issue, we will have a look as quickly as possible.

@aolle aolle self-assigned this Feb 21, 2023
@aolle
Copy link
Collaborator

aolle commented Feb 21, 2023

Hello Alex,

Thank you for opening an issue with so much detail. I will take a look at it and see what can be done. We will keep you informed here of any progress.

Regards

@Hosigamix
Copy link

How to log in as that the user,plisss help me
Now log in as that user and bring up WebGoat/users. Copy your hash and log back in to your original account and input it there to get credit.

@poxenham-myp
Copy link

I agree with @Hosigamix, I have no idea how to "log in" as the new user

@aolle aolle added bug convenience non essential improvement which makes things more convenient labels Aug 26, 2023
@aolle aolle mentioned this issue Aug 26, 2023
Merged
aolle added a commit that referenced this issue Aug 26, 2023
@aolle
feat: improve MFAC lesson hint texts for a better user experience (#1424
05d2081 
)
aolle added a commit that referenced this issue Aug 26, 2023
@aolle
bug: fix hint that was breaking the template, causing hints from diff…
d84e13e 
…erent assignments to mix (#1424)
@aolle aolle added this to the 2023.5 milestone Aug 27, 2023
aolle added a commit that referenced this issue Aug 27, 2023
@aolle
feat: improve MFAC lesson hint texts for a better user experience (#1424
0555788 
)
aolle added a commit that referenced this issue Aug 27, 2023
@aolle
bug: fix hint that was breaking the template, causing hints from diff…
d8341c8 
…erent assignments to mix (#1424)
@aolle aolle reopened this Aug 27, 2023
@aolle aolle added the waiting for release Issue is fix, waiting on new release label Aug 27, 2023
@cetfor
Copy link

cetfor commented Nov 11, 2023
edited
Loading

This problem really threw me for a loop.

I essentially screwed myself by adding a whole bunch of "Jerry" users with various passwords, and just didn't select the correct hash. Thinking back, I have zero idea why I did this.

Step/Challenge 4 has two parts:
Part 1. Create a user with the same name as the user you log into WebGoat with (I use "webgoat").
Part 2. Request a list of users. Jerry will now have a different hash from step/challenge 3.

If you start by attempting to list the users, you'll get a Forbidden error. This is because your WebGoat username isn't in the user list as an "admin" (or at all actually). So you need to create a new user which matches your WebGoat account username and has "admin" set true. Now you should be able to list the users via the users-admin-fix endpoint and grab Jerry's hash to submit and complete the challenge.

I wonder if throwing an error if a user tries to create a username that already exists would help confusion with this problem. I'm curious what would have happened if my WebGoat username was "Jerry" - would I just need to view the user list without actually creating a new user since "Jerry" is already an admin? Shower thoughts...

Either way, this was really rewarding to figure out, thanks for maintaining WebGoat!

@nbaars nbaars closed this as completed Nov 24, 2023
nbaars pushed a commit that referenced this issue Mar 19, 2024
@aolle @nbaars
feat: improve MFAC lesson hint texts for a better user experience (#1424
edf9e6c 
)
nbaars pushed a commit that referenced this issue Mar 19, 2024
@aolle @nbaars
bug: fix hint that was breaking the template, causing hints from diff…
7a96575 
…erent assignments to mix (#1424)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aolle aolle

Labels
4 - Done bug convenience non essential improvement which makes things more convenient enhancement waiting for release Issue is fix, waiting on new release
Projects
None yet
Milestone
2023.5
Development

Successfully merging a pull request may close this issue.

Bug fix and improve MFAC hints WebGoat/WebGoat
6 participants
@nbaars @aolle @alexcolb @cetfor @poxenham-myp @Hosigamix