diff --git a/src/main/java/org/owasp/webgoat/lessons/idor/IDORDiffAttributes.java b/src/main/java/org/owasp/webgoat/lessons/idor/IDORDiffAttributes.java index f145ca1f9..f91099742 100644 --- a/src/main/java/org/owasp/webgoat/lessons/idor/IDORDiffAttributes.java +++ b/src/main/java/org/owasp/webgoat/lessons/idor/IDORDiffAttributes.java @@ -15,7 +15,8 @@ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * 02111-1307, USA. * - * Getting Source ============== + * Getting Source + * ============== * * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects. */ diff --git a/src/main/java/org/owasp/webgoat/lessons/idor/IDOREditOtherProfiile.java b/src/main/java/org/owasp/webgoat/lessons/idor/IDOREditOtherProfile.java similarity index 90% rename from src/main/java/org/owasp/webgoat/lessons/idor/IDOREditOtherProfiile.java rename to src/main/java/org/owasp/webgoat/lessons/idor/IDOREditOtherProfile.java index 404d0aeb4..1e5bbd8bb 100644 --- a/src/main/java/org/owasp/webgoat/lessons/idor/IDOREditOtherProfiile.java +++ b/src/main/java/org/owasp/webgoat/lessons/idor/IDOREditOtherProfile.java @@ -15,7 +15,8 @@ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * 02111-1307, USA. * - * Getting Source ============== + * Getting Source + * ============== * * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects. */ @@ -45,7 +46,7 @@ import org.springframework.web.bind.annotation.RestController; "idor.hints.otherProfile8", "idor.hints.otherProfile9" }) -public class IDOREditOtherProfiile extends AssignmentEndpoint { +public class IDOREditOtherProfile extends AssignmentEndpoint { @Autowired private UserSessionData userSessionData; @@ -69,7 +70,7 @@ public class IDOREditOtherProfiile extends AssignmentEndpoint { // we will persist in the session object for now in case we want to refer back or use it later userSessionData.setValue("idor-updated-other-profile", currentUserProfile); if (currentUserProfile.getRole() <= 1 - && currentUserProfile.getColor().toLowerCase().equals("red")) { + && currentUserProfile.getColor().equalsIgnoreCase("red")) { return success(this) .feedback("idor.edit.profile.success1") .output(currentUserProfile.profileToMap().toString()) @@ -77,16 +78,16 @@ public class IDOREditOtherProfiile extends AssignmentEndpoint { } if (currentUserProfile.getRole() > 1 - && currentUserProfile.getColor().toLowerCase().equals("red")) { - return success(this) + && currentUserProfile.getColor().equalsIgnoreCase("red")) { + return failed(this) .feedback("idor.edit.profile.failure1") .output(currentUserProfile.profileToMap().toString()) .build(); } if (currentUserProfile.getRole() <= 1 - && !currentUserProfile.getColor().toLowerCase().equals("red")) { - return success(this) + && !currentUserProfile.getColor().equalsIgnoreCase("red")) { + return failed(this) .feedback("idor.edit.profile.failure2") .output(currentUserProfile.profileToMap().toString()) .build(); @@ -97,7 +98,8 @@ public class IDOREditOtherProfiile extends AssignmentEndpoint { .feedback("idor.edit.profile.failure3") .output(currentUserProfile.profileToMap().toString()) .build(); - } else if (userSubmittedProfile.getUserId().equals(authUserId)) { + } else if (userSubmittedProfile.getUserId() != null + && userSubmittedProfile.getUserId().equals(authUserId)) { return failed(this).feedback("idor.edit.profile.failure4").build(); } diff --git a/src/main/java/org/owasp/webgoat/lessons/idor/IDORLogin.java b/src/main/java/org/owasp/webgoat/lessons/idor/IDORLogin.java index 1b656c0cf..36a161c88 100644 --- a/src/main/java/org/owasp/webgoat/lessons/idor/IDORLogin.java +++ b/src/main/java/org/owasp/webgoat/lessons/idor/IDORLogin.java @@ -15,7 +15,8 @@ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * 02111-1307, USA. * - * Getting Source ============== + * Getting Source + * ============== * * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects. */ diff --git a/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOtherProfile.java b/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOtherProfile.java index b4e8a3cbd..61d7cce19 100644 --- a/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOtherProfile.java +++ b/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOtherProfile.java @@ -15,7 +15,8 @@ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * 02111-1307, USA. * - * Getting Source ============== + * Getting Source + * ============== * * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects. */ @@ -23,8 +24,6 @@ package org.owasp.webgoat.lessons.idor; import jakarta.servlet.http.HttpServletResponse; -import java.util.HashMap; -import java.util.Map; import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentHints; import org.owasp.webgoat.container.assignments.AttackResult; @@ -56,7 +55,6 @@ public class IDORViewOtherProfile extends AssignmentEndpoint { produces = {"application/json"}) @ResponseBody public AttackResult completed(@PathVariable("userId") String userId, HttpServletResponse resp) { - Map details = new HashMap<>(); if (userSessionData.getValue("idor-authenticated-as").equals("tom")) { // going to use session auth to view this one @@ -66,7 +64,8 @@ public class IDORViewOtherProfile extends AssignmentEndpoint { UserProfile requestedProfile = new UserProfile(userId); // secure code would ensure there was a horizontal access control check prior to dishing up // the requested profile - if (requestedProfile.getUserId().equals("2342388")) { + if (requestedProfile.getUserId() != null + && requestedProfile.getUserId().equals("2342388")) { return success(this) .feedback("idor.view.profile.success") .output(requestedProfile.profileToMap().toString()) diff --git a/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfile.java b/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfile.java index ec78df0bd..b58fe69ca 100644 --- a/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfile.java +++ b/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfile.java @@ -15,7 +15,8 @@ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * 02111-1307, USA. * - * Getting Source ============== + * Getting Source + * ============== * * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects. */ diff --git a/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfileAltUrl.java b/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfileAltUrl.java index a2fe4cb9c..c4f99a6b3 100644 --- a/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfileAltUrl.java +++ b/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfileAltUrl.java @@ -15,7 +15,8 @@ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * 02111-1307, USA. * - * Getting Source ============== + * Getting Source + * ============== * * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects. */ @@ -68,7 +69,7 @@ public class IDORViewOwnProfileAltUrl extends AssignmentEndpoint { return failed(this).feedback("idor.view.own.profile.failure2").build(); } } catch (Exception ex) { - return failed(this).feedback("an error occurred with your request").build(); + return failed(this).output("an error occurred with your request").build(); } } } diff --git a/src/main/java/org/owasp/webgoat/lessons/idor/UserProfile.java b/src/main/java/org/owasp/webgoat/lessons/idor/UserProfile.java index f1490b2a5..08f9ca63a 100644 --- a/src/main/java/org/owasp/webgoat/lessons/idor/UserProfile.java +++ b/src/main/java/org/owasp/webgoat/lessons/idor/UserProfile.java @@ -15,7 +15,8 @@ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * 02111-1307, USA. * - * Getting Source ============== + * Getting Source + * ============== * * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects. */ diff --git a/src/main/resources/lessons/idor/i18n/WebGoatLabels.properties b/src/main/resources/lessons/idor/i18n/WebGoatLabels.properties index 7f2c10b81..74e180eba 100644 --- a/src/main/resources/lessons/idor/i18n/WebGoatLabels.properties +++ b/src/main/resources/lessons/idor/i18n/WebGoatLabels.properties @@ -27,7 +27,7 @@ idor.diff.failure=Try again. Look in your browser dev tools or Proxy and compare idor.edit.profile.success1=Well done, you have modified someone else's profile (as displayed below) idor.edit.profile.success2=Good work! View the updated profile below idor.edit.profile.failure1=Close ... you've got the technique. Now try for a lower role number -idor.edit.profile.failure2=Close ... you've got the technique. Now change the color in their profile to red.) +idor.edit.profile.failure2=Close ... you've got the technique. Now change the color in their profile to red. idor.edit.profile.failure3=Try again. Use the hints if you need to. idor.edit.profile.failure4=Modifying your own profile is good, but we want to do this to Buffalo Bill's profile.