bug: Fix IDOR lesson

src/main/java/org/owasp/webgoat/lessons/idor/IDORDiffAttributes.java

@@ -15,7 +15,8 @@
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
  *
- * Getting Source ==============
+ * Getting Source
+ * ==============
  *
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */

src/main/java/org/owasp/webgoat/lessons/idor/IDOREditOtherProfile.java

@@ -15,7 +15,8 @@
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
  *
- * Getting Source ==============
+ * Getting Source
+ * ==============
  *
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
@@ -45,7 +46,7 @@ import org.springframework.web.bind.annotation.RestController;
   "idor.hints.otherProfile8",
   "idor.hints.otherProfile9"
 })
-public class IDOREditOtherProfiile extends AssignmentEndpoint {
+public class IDOREditOtherProfile extends AssignmentEndpoint {
 
   @Autowired private UserSessionData userSessionData;
 
@@ -69,7 +70,7 @@ public class IDOREditOtherProfiile extends AssignmentEndpoint {
       // we will persist in the session object for now in case we want to refer back or use it later
       userSessionData.setValue("idor-updated-other-profile", currentUserProfile);
       if (currentUserProfile.getRole() <= 1
-          && currentUserProfile.getColor().toLowerCase().equals("red")) {
+          && currentUserProfile.getColor().equalsIgnoreCase("red")) {
         return success(this)
             .feedback("idor.edit.profile.success1")
             .output(currentUserProfile.profileToMap().toString())
@@ -77,16 +78,16 @@ public class IDOREditOtherProfiile extends AssignmentEndpoint {
       }
 
       if (currentUserProfile.getRole() > 1
-          && currentUserProfile.getColor().toLowerCase().equals("red")) {
+          && currentUserProfile.getColor().equalsIgnoreCase("red")) {
-        return success(this)
+        return failed(this)
             .feedback("idor.edit.profile.failure1")
             .output(currentUserProfile.profileToMap().toString())
             .build();
       }
 
       if (currentUserProfile.getRole() <= 1
-          && !currentUserProfile.getColor().toLowerCase().equals("red")) {
+          && !currentUserProfile.getColor().equalsIgnoreCase("red")) {
-        return success(this)
+        return failed(this)
             .feedback("idor.edit.profile.failure2")
             .output(currentUserProfile.profileToMap().toString())
             .build();
@@ -97,7 +98,8 @@ public class IDOREditOtherProfiile extends AssignmentEndpoint {
           .feedback("idor.edit.profile.failure3")
           .output(currentUserProfile.profileToMap().toString())
           .build();
-    } else if (userSubmittedProfile.getUserId().equals(authUserId)) {
+    } else if (userSubmittedProfile.getUserId() != null
+        && userSubmittedProfile.getUserId().equals(authUserId)) {
       return failed(this).feedback("idor.edit.profile.failure4").build();
     }
 

src/main/java/org/owasp/webgoat/lessons/idor/IDORLogin.java

@@ -15,7 +15,8 @@
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
  *
- * Getting Source ==============
+ * Getting Source
+ * ==============
  *
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */

src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOtherProfile.java

@@ -15,7 +15,8 @@
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
  *
- * Getting Source ==============
+ * Getting Source
+ * ==============
  *
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
@@ -23,8 +24,6 @@
 package org.owasp.webgoat.lessons.idor;
 
 import jakarta.servlet.http.HttpServletResponse;
-import java.util.HashMap;
-import java.util.Map;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
@@ -56,7 +55,6 @@ public class IDORViewOtherProfile extends AssignmentEndpoint {
       produces = {"application/json"})
   @ResponseBody
   public AttackResult completed(@PathVariable("userId") String userId, HttpServletResponse resp) {
-    Map<String, Object> details = new HashMap<>();
 
     if (userSessionData.getValue("idor-authenticated-as").equals("tom")) {
       // going to use session auth to view this one
@@ -66,7 +64,8 @@ public class IDORViewOtherProfile extends AssignmentEndpoint {
         UserProfile requestedProfile = new UserProfile(userId);
         // secure code would ensure there was a horizontal access control check prior to dishing up
         // the requested profile
-        if (requestedProfile.getUserId().equals("2342388")) {
+        if (requestedProfile.getUserId() != null
+            && requestedProfile.getUserId().equals("2342388")) {
           return success(this)
               .feedback("idor.view.profile.success")
               .output(requestedProfile.profileToMap().toString())

src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfile.java

@@ -15,7 +15,8 @@
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
  *
- * Getting Source ==============
+ * Getting Source
+ * ==============
  *
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */

src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfileAltUrl.java

@@ -15,7 +15,8 @@
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
  *
- * Getting Source ==============
+ * Getting Source
+ * ==============
  *
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
@@ -68,7 +69,7 @@ public class IDORViewOwnProfileAltUrl extends AssignmentEndpoint {
         return failed(this).feedback("idor.view.own.profile.failure2").build();
       }
     } catch (Exception ex) {
-      return failed(this).feedback("an error occurred with your request").build();
+      return failed(this).output("an error occurred with your request").build();
     }
   }
 }

src/main/java/org/owasp/webgoat/lessons/idor/UserProfile.java

@@ -15,7 +15,8 @@
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
  *
- * Getting Source ==============
+ * Getting Source
+ * ==============
  *
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */

src/main/resources/lessons/idor/i18n/WebGoatLabels.properties

@@ -27,7 +27,7 @@ idor.diff.failure=Try again. Look in your browser dev tools or Proxy and compare
 idor.edit.profile.success1=Well done, you have modified someone else's profile (as displayed below)
 idor.edit.profile.success2=Good work! View the updated profile below
 idor.edit.profile.failure1=Close ... you've got the technique. Now try for a lower role number
-idor.edit.profile.failure2=Close ... you've got the technique. Now change the color in their profile to red.)
+idor.edit.profile.failure2=Close ... you've got the technique. Now change the color in their profile to red.
 idor.edit.profile.failure3=Try again. Use the hints if you need to.
 idor.edit.profile.failure4=Modifying your own profile is good, but we want to do this to Buffalo Bill's profile.