Missing Function Level Access Control (3)

Just Try It

As the previous page noted, sometimes apps rely on client controls. to control access (obscurity). If you can find items that don’t have visible links, just try them, see what happens. Yes, it can be that simple!

Gathering User Info

Often times, data dumps from vulnerabilities such as sql injection, but they can also come from poor or lacking access control.

It will likely take multiple steps and multiple attempts to get this one. Pay attention to the comments, leaked info. and you’ll need to guess some. You may need to use another browser/account along the way. Start with the info. you already gathered (hidden menu items) to see if you can pull the list of users and then provide the 'Hash' for your own user account.


💡 There is an easier way and a 'harder' way to achieve this, the easier way involves one simple change in a GET request. 💡 If you haven't found the hidden menus from the earlier exercise, go do that first. 💡 When you look at the users page, there is a hint that more info is viewable by a given role. 💡 For the easy way, have you tried tampering the GET request? Different content-types? 💡 For the 'easy' way, modify the GET request to /users to include 'Content-Type: application/json' 💡 Now for the harder way ... it builds on the easier way' 💡 If the request to view users, were a 'service' or 'RESTful' endpoint, what would be different about it? 💡 If you're still looking for hints ... try changing the Content-type header as in the GET request. 💡 You also need to deliver a proper payload for the request (look at how registration works). This should be formatted in line with the content-type you just defined. 💡 You will want to add WEBGOAT_ADMIN for the user's role. Yes, you'd have to guess/fuzz this in a real-world setting. 💡 OK, here it is. First, create an admin user ... Change the method to POST, change the content-type to "application/json". And your payload should look something like: {"username":"newUser2","password":"newUser12","matchingPassword":"newUser12","role":"WEBGOAT_ADMIN"} 💡 Now log in as that user and bring up WebGoat/users. Copy your hash and log back in to your original account and input it there to get credit.

  • Open the Development Tools in the browser, and go to the Network tab.

  • Locate the query to users in the Network tab and click on Edit and Resend.

  • Add the header Content-Type: application/json.

  • Check the hash in the response.

Last updated