A1:2021 | Missing Function Level Access Control (3) | Cycubix Docs

Just Try It

As the previous page noted, sometimes apps rely on client controls. to control access (obscurity). If you can find items that don’t have visible links, just try them, see what happens. Yes, it can be that simple!

Gathering User Info

Often times, data dumps from vulnerabilities such as sql injection, but they can also come from poor or lacking access control.

It will likely take multiple steps and multiple attempts to get this one. Pay attention to the comments, leaked info. and you’ll need to guess some. You may need to use another browser/account along the way. Start with the info. you already gathered (hidden menu items) to see if you can pull the list of users and then provide the 'Hash' for your own user account.

Solution with ZAP and BurpSuite

  • From previous lessons we know that there are 2 endpoints that are supposed to be hidden from a non-admin user: /users and /config.

  • Turn on the interceptor on Burp/ Unset the Break on Zap.

  • Go Back to WebGoat and hit the Submit button under hash.

  • On Burp and ZAP find the request with the endpoint we are looking for:

  • Turn Off the Interceptor (Burp) or Break (ZAP).

  • Send the request to the Repeater (Burp) or Manual Request Editor (ZAP). Change the endpoint from user-hash to users.

  • Click send. You will receive and error message, saying the media type is unsupported.

  • Change content type:

    Content-Type: application/json; charset=UTF-8
  • After hitting send, you will receive a message of error saying that it was expected a JSON object in accordance with the POST request.

  • Change the Method from POST to GET. And add a value into userHash.

  • After hitting send, you will get the following values:

  • Submit the UserHash in the WebGoat lesson. Don't forget to previously turn on the Interceptor or Breaker.


💡 Now for the harder way ... it builds on the easier way' 💡 If the request to view users, were a 'service' or 'RESTful' endpoint, what would be different about it? 💡 If you're still looking for hints ... try changing the Content-type header as in the GET request. 💡 You also need to deliver a proper payload for the request (look at how registration works). This should be formatted in line with the content-type you just defined. 💡 You will want to add WEBGOAT_ADMIN for the user's role. Yes, you'd have to guess/fuzz this in a real-world setting. 💡 OK, here it is. First, create an admin user ... Change the method to POST, change the content-type to "application/json". And your payload should look something like: {"username":"newUser2","password":"newUser12","matchingPassword":"newUser12","role":"WEBGOAT_ADMIN"} 💡 Now log in as that user and bring up WebGoat/users. Copy your hash and log back in to your original account and input it there to get credit.

  • Open the Development Tools in the browser, and go to the Network tab.

  • Locate the query to users in the Network tab and click on Edit and Resend.

  • Add the header Content-Type: application/json.

  • Check the hash in the response.

Last updated