IDOR hints updated

2017-06-27 10:26:22 -04:00
parent 89e2fc109c
commit 296723508b
7 changed files with 94 additions and 67 deletions
--- a/webgoat-lessons/idor/src/main/resources/html/IDOR.html
+++ b/webgoat-lessons/idor/src/main/resources/html/IDOR.html
@ -138,7 +138,7 @@
        <!-- modify the action to point to the intended endpoint -->
        <form class="attack-form" accept-charset="UNKNOWN" id="view-other"
              method="GET" name="view-other-profile"
-              action="/WebGoat/IDOR/profile"
+              action="/WebGoat/IDOR/profile/{userId}"
              enctype="application/json;charset=UTF-8">
            <script th:src="@{/lesson_js/idor.js}" />

@ -163,7 +163,7 @@
        <!-- modify the action to point to the intended endpoint -->
        <form class="attack-form" accept-charset="UNKNOWN" id="edit-other"
              method="GET" name="edit-other-profile"
-              action="/WebGoat/IDOR/profile"
+              action="/WebGoat/IDOR/profile/{userId}"
              enctype="application/json;charset=UTF-8">
            <script th:src="@{/lesson_js/idor.js}" />

--- a/webgoat-lessons/idor/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/idor/src/main/resources/i18n/WebGoatLabels.properties
@ -1,7 +1,24 @@
 idor.title=Insecure Direct Object References

-idor.hints.idor_login=Log in first
+idor.hints.idor_login=Log in first. User Name is tom, password is cat.

+idor.hints.idorDiffAttributes1=Make sure you have logged in on the previous step/page
+idor.hints.idorDiffAttributes2=View the response using developer tools or a proxy.
+idor.hints.idorDiffAttributes3=The attributes are not visible and have nothing to do with size, color or name
+
+idor.hints.ownProfileAltUrl1=Look at the previous request for profile, this is similar
+idor.hints.ownProfileAltUrl2=You will need data from the previous request for your own profile
+idor.hints.ownProfileAltUrl3=Append your id to the previous request (i.e. .../profile/{yourId})
+
+idor.hints.otherProfile1=The default request here won't work at all, so you will need to manually craft the request or tamper it with a proxy
+idor.hints.otherProfile2=You will likely need to 'fuzz' to try different values for the userId at the end of the Url
+idor.hints.otherProfile3=Try incrementing the id value. It's not a simple +1, but it's also not too far off
+idor.hints.otherProfile4=For editing the other user's profile, you will need to use the proxy or manually craft the request again
+idor.hints.otherProfile5=To edit the other user's profile, you will use the same Url you did to view the other user's profile
+idor.hints.otherProfile6=To edit, You will need to change the method, what is the RESTful method  used for 'update' or 'edit'?
+idor.hints.otherProfile7=You will also need the body of the request (will look something like the profile)
+idor.hints.otherProfile8=The request should go to ... /WebGoat/IDOR/profile/{Buffalo Bills Id}
+idor.hints.otherProfile9={\"role\" : 1,\"color\" : \"red\",\"size\" : \"small\",\"name\" : \"Tom Cat\",\"userId\" : \"2342388\"}

 idor.diff.attributes.missing=You did not list two attributes, comma delimited
 idor.diff.success=Correct, the two attributes not displayed are userId & role. Keep those in mind