Merge pull request WebGoat#479 from misfir3/develop

Recent updates, including Missing Function AC content & patch for Vuln Components Lesson

platformQuickStarts/GCP/GKE-Docker/deploy.cfg

@@ -0,0 +1,4 @@
+CURTAG=webgoat/webgoat-8.0
+DEST_TAG=gcr.io/astech-training/raging-wire-webgoat
+CLUSTER_NAME=raging-wire-webgoat
+PORT_NUM=8080

platformQuickStarts/GCP/GKE-Docker/gke-deploy-config.sh

@@ -0,0 +1,4 @@
+CURTAG=webgoat/webgoat-8.0
+DEST_TAG=gcr.io/your-gke-project/your-webgoat-tag
+CLUSTER_NAME=your-cluster-name
+PORT_NUM=8080

webgoat-container/src/main/resources/templates/list_users.html

@@ -123,8 +123,9 @@
     <section class="main-content-wrapper">
         <section id="main-content"> <!--ng-controller="goatLesson"-->
             <div id="lesson-page" class="pages">
-                <span th:text="${numUsers}"> Users in WebGoat</span>
-                <!-- iterate over users below -->su
+                <span th:text="${numUsers}"></span>
+                <span> Users in WebGoat</span>
+
                 <div sec:authorize="hasAuthority('WEBGOAT_ADMIN')">
                     <h3>WebGoat Users</h3>
                     <div th:each="user : ${allUsers}">

webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/MissingFunctionACYourHash.java

@@ -13,7 +13,7 @@
 @AssignmentPath("/access-control/user-hash")
 @AssignmentHints({"access-control.hash.hint1","access-control.hash.hint2","access-control.hash.hint3",
         "access-control.hash.hint4","access-control.hash.hint5","access-control.hash.hint6","access-control.hash.hint7",
-        "access-control.hash.hint8","access-control.hash.hint9"})
+        "access-control.hash.hint8","access-control.hash.hint9","access-control.hash.hint10","access-control.hash.hint11","access-control.hash.hint12"})
 public class MissingFunctionACYourHash extends AssignmentEndpoint {
 
     @Autowired

webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/Users.java

@@ -51,7 +51,7 @@ protected HashMap<Integer, HashMap> getUsers  (HttpServletRequest req) {
                         userMap.put("cc", results.getString(3));
                         userMap.put("ccType", results.getString(4));
                         userMap.put("cookie", results.getString(5));
-                        userMap.put("loginCOunt",Integer.toString(results.getInt(6)));
+                        userMap.put("loginCount",Integer.toString(results.getInt(6)));
                         allUsersMap.put(id,userMap);
                     }
                     userSessionData.setValue("allUsers",allUsersMap);

webgoat-lessons/missing-function-ac/src/main/resources/i18n/WebGoatLabels.properties

@@ -11,12 +11,15 @@ access-control.hidden-menus.hint3=Look for something a super-user or administato
 access-control.hash.success=Congrats! You really succeeded when you added the user.
 access-control.hash.close=Keep trying, this one may take several attempts & steps to achieve. See the hints for help.
 
-access-control.hash.hint1=If you haven't found the hidden menus from the earlier exercise, go do that now.
-access-control.hash.hint2=When you look at the users page, there is a hint that more info is viewable by a given role of user. 
-access-control.hash.hint3=Have you tried tampering the GET request? Can you find supported or unsupported methods? Can you trigger 500 errors?
-access-control.hash.hint4=There are actually two ways to solve this one. The first involves just changing a request header.
-access-control.hash.hint5=If the request to view users, were a 'service' or 'RESTful' endpoint, what would be different about it?
-access-control.hash.hint6=If you're still looking for hints ... try changing the Content-type header in the GET request.
-access-control.hash.hint7=The harder way involves changing the Content-type AND the method ... As well as a proper payload for the request.  Look at how registration works first and extrapolate out from there.
-access-control.hash.hint8=See if you can add a user with a webgoat admin role, and if more is visible once you log in as that user.
-access-control.hash.hint9=If you create a new user with the admin role ... The role should include 'WEBGOAT' and 'ADMIN' in the role name. You'll have to do some guessing beyond that.
+access-control.hash.hint1=There is an easier way and a 'harder' way to achieve this, the easier way involves one simple change in a GET request.
+access-control.hash.hint2= If you haven't found the hidden menus from the earlier exercise, go do that first.
+access-control.hash.hint3=When you look at the users page, there is a hint that more info is viewable by a given role. 
+access-control.hash.hint4=For the easy way, have you tried tampering the GET request? Different content-types?
+access-control.hash.hint5=For the 'easy' way, modify the GET request to /users to include 'Content-Type: application/json'
+access-control.hash.hint6=Now for the harder way ... it builds on the easier way
+access-control.hash.hint7=If the request to view users, were a 'service' or 'RESTful' endpoint, what would be different about it?
+access-control.hash.hint8=If you're still looking for hints ... try changing the Content-type header as in the GET request.
+access-control.hash.hint9=You also need to deliver a proper payload for the request (look at how registration works). This should be formatted in line with the content-type you just defined.
+access-control.hash.hint10=You will want to add  WEBGOAT_ADMIN for the user's role. Yes, you'd have to guess/fuzz this in a real-world setting. 
+access-control.hash.hint11=OK, here it is. First, create an admin user ... Change the method to POST, change the content-type to "application/json". And your payload should look something like: {"username":"newUser2","password":"newUser12","matchingPassword":"newUser12","role":"WEBGOAT_ADMIN"}
+access-control.hash.hint12=Now log in as that user and bring up WebGoat/users. Copy your hash and log back in to your original account and input it there to get credit.