Webgoat - Missing Function Level Access Control

Webgoat – Missing Function Level Access Control

In this walk through, we will be going through the Missing Function Level Access Control vulnerability section from Webgoat Labs. We will be exploring and exploiting Missing Function Level Access Control and learn how application are affected because of it. So, let’s get started with the Hacking without any delay.

Missing Function Level Access Control

Missing Function Level Access Control

Missing Function Level Access Control

1. Relying on obscurity

  • In this task we have to find to invisible menu items in the menu which will be useful for further tasks in this challenge.

1. Relying on obscurity

  • I used dev tools inspector and found the hidden menu items.

Page inspect

Challenge completed

2. Gathering User Info

  • In this one we have to find a hash of user Jerry’s account. We have to take hints and input from the previously found information. As per our previous task we found a directory called users.

2. Gathering User Info

  • I intercepted the request via Burpsuite and changed the method to GET. The target url to users and the Content-Type to application/json which gives me the results consisting the user’s hash.

Burpsuite intercept

Changing paramters

Burspuite Response

Challenge completed

3. The company fixed the problem, right?

  • In this one, the company has found the vulnerable endpoint and made an emergency fix for it. I tried the previous technique on this and it do display the response however the solution was not correct.

3. The company fixed the problem, right?

Burpsuite intercept

Burpsuite Response

Challenge completed

  • I peeked into the application source code and found out the user’s password which is in plain text. Further, the application is now using a different salt for the admin accounts which is “DeliberatelyInsecure1235”. Next, the application takes the username, salt and password and encrypt it with SHA256 algorithm and then at last encode it with base64.

Source code

Password salt

Password salt

  • Now that we know that, let’s use the below program to generate our desired hash.

import java.nio.charset.StandardCharsets;

import java.security.MessageDigest;

import java.util.Base64;



public class App {

    public static void main(String[] args) throws Exception {

        System.out.println("Hello, World!");

        String password = "doesnotreallymatter";

        String username = "Jerry";

        String passwordSaltStrong = "DeliberatelyInsecure1235";



        try {

            MessageDigest md = MessageDigest.getInstance("SHA-256");

            String salted = password + passwordSaltStrong + username;

            byte[] hash = md.digest(salted.getBytes(StandardCharsets.UTF_8));

            System.out.println(Base64.getEncoder().encodeToString(hash));

        } catch (Error e) {



        }



    }

}

d4T2ahJN4fWP83s9JdLISio7Auh4mWhFT1Q38S6OewM=

Running the java code

  • Submit it to complete the challenge.

Challenge completed

Also Read: Webgoat – JWT tokens

Conclusion:

Conclusion

So, we finally completed the Webgoat Missing Function Level Access Control Vulnerability section. Next, we can mitigate these types of attacks by completely denying access to everything and then every specific role can be explicitly granted access for each function. Along with that, the application must not reveal sensitive information on the front end or responses which might then be misused to attack it later and Security through Obscurity must not be used in any circumstance. On that note, i will take your leave and will meet you in next one with another Webgoat vulnerability writeup, till then “Keep Hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top