Access Control: Bypass a Path Based Access Control Scheme

Goal: 

Gain Access to unauthorized file resource "WEB-INF/spring-security.xml" located in unknown location. Note the hacker have access to files one the site. 

Method: 

Use Burp Suite and modify request file and gain access.

Step by step Guide

1. Setup burp Suite proxy on both client and burp, 

2. We need to first try to get as much info as we could about the folder structure, let's use the file that we have access to find out their directories. 

We can see that the file BlindStringSqlInjection.html is located at 

/root/.extract/webapps/WebGoat/plugin_extracted/plugin/BlindStringSqlInjection/lessonPlans/en/BlindStringSqlInjection.html

3. Let's start Burp and locate the previous request from Burp. Here two ways you can do to inject or modify the initial request.. Either by intercepting or by using repeater function. 

4. We will try try and fail method as we don't know where the file is located. 

/root/.extract/webapps/WebGoat/plugin_extracted/plugin/BlindStringSqlInjection/lessonPlans/en/BlindStringSqlInjection.html

Let's try to inject with below paths and see /../../../../../../../../WEB-INF/spring-security.xml

This time failed.. Let's try delete one level of directory at a time to test out.. After the 4th time try, we successfully getting access to the file. 
 

Please publish modules in offcanvas position.