IDOR hints updated

webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORDiffAttributes.java

@@ -1,6 +1,7 @@
 package org.owasp.webgoat.plugin;
 
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -42,6 +43,7 @@ import java.io.IOException;
  */
 
 @AssignmentPath("IDOR/diff-attributes")
+@AssignmentHints({"idor.hints.idorDiffAttributes1","idor.hints.idorDiffAttributes2","idor.hints.idorDiffAttributes3"})
 public class IDORDiffAttributes extends AssignmentEndpoint {
 
     @RequestMapping(method = RequestMethod.POST)

webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDOREditOtherProfiile.java

@@ -1,6 +1,7 @@
 package org.owasp.webgoat.plugin;
 
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.session.UserSessionData;
@@ -38,6 +39,7 @@ import org.springframework.web.bind.annotation.*;
  */
 
 @AssignmentPath("IDOR/profile/{userId}")
+@AssignmentHints({"idor.hints.otherProfile1","idor.hints.otherProfile2","idor.hints.otherProfile3","idor.hints.otherProfile4","idor.hints.otherProfile5","idor.hints.otherProfile6","idor.hints.otherProfile7","idor.hints.otherProfile8","idor.hints.otherProfile9"})
 public class IDOREditOtherProfiile extends AssignmentEndpoint {
 
     @Autowired

webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORViewOtherProfile.java

@@ -2,6 +2,7 @@ package org.owasp.webgoat.plugin;
 
 
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.session.UserSessionData;
@@ -46,6 +47,7 @@ import java.util.Map;
  */
 
 @AssignmentPath("IDOR/profile/{userId}")
+@AssignmentHints({"idor.hints.otherProfile1","idor.hints.otherProfile2","idor.hints.otherProfile3","idor.hints.otherProfile4","idor.hints.otherProfile5","idor.hints.otherProfile6","idor.hints.otherProfile7","idor.hints.otherProfile8","idor.hints.otherProfile9"})
 public class IDORViewOtherProfile extends AssignmentEndpoint{
 
     @Autowired

webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORViewOwnProfileAltUrl.java

@@ -2,6 +2,7 @@ package org.owasp.webgoat.plugin;
 
 
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.session.UserSessionData;
@@ -46,6 +47,7 @@ import java.util.Map;
  */
 
 @AssignmentPath("IDOR/profile/alt-path")
+@AssignmentHints({"idor.hints.ownProfileAltUrl1","idor.hints.ownProfileAltUrl2","idor.hints.ownProfileAltUrl3"})
 public class IDORViewOwnProfileAltUrl extends AssignmentEndpoint{
 
     @Autowired

webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/ViewOtherUserProfile.java

@@ -1,64 +1,66 @@
-package org.owasp.webgoat.plugin;
+//package org.owasp.webgoat.plugin;
-
+//
-import com.google.common.collect.Lists;
+//import com.google.common.collect.Lists;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
+//import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentPath;
+//import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
+//import org.owasp.webgoat.assignments.AssignmentPath;
-import org.owasp.webgoat.session.UserSessionData;
+//import org.owasp.webgoat.assignments.AttackResult;
-import org.springframework.beans.factory.annotation.Autowired;
+//import org.owasp.webgoat.session.UserSessionData;
-import org.springframework.web.bind.annotation.PathVariable;
+//import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.web.bind.annotation.RequestMapping;
+//import org.springframework.web.bind.annotation.PathVariable;
-import org.springframework.web.bind.annotation.ResponseBody;
+//import org.springframework.web.bind.annotation.RequestMapping;
-
+//import org.springframework.web.bind.annotation.ResponseBody;
-import javax.servlet.ServletException;
+//
-import javax.servlet.http.HttpServletRequest;
+//import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletResponse;
+//import javax.servlet.http.HttpServletRequest;
-import java.io.IOException;
+//import javax.servlet.http.HttpServletResponse;
-import java.util.HashMap;
+//import java.io.IOException;
-import java.util.List;
+//import java.util.HashMap;
-import java.util.Map;
+//import java.util.List;
-
+//import java.util.Map;
-/**
+//
- * Created by jason on 1/5/17.
+///**
- */
+// * Created by jason on 1/5/17.
-
+// */
-@AssignmentPath("/IDOR/viewprofile/{id}")
+//
-public class ViewOtherUserProfile extends AssignmentEndpoint {
+//@AssignmentPath("/IDOR/viewprofile/{id}")
-
+//@AssignmentHints({"idor.hints.otherProfile1","idor.hints.otherProfile2","idor.hints.otherProfile3"})
-    private String color;
+//public class ViewOtherUserProfile extends AssignmentEndpoint {
-    private String size;
+//
-    private boolean isAdmin;
+//    private String color;
-
+//    private String size;
-    @Autowired
+//    private boolean isAdmin;
-    UserSessionData userSessionData;
+//
-
+//    @Autowired
-    @RequestMapping(produces = {"application/json"})
+//    UserSessionData userSessionData;
-    public @ResponseBody
+//
-    AttackResult completed(@PathVariable String userId, HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+//    @RequestMapping(produces = {"application/json"})
-        List json = Lists.newArrayList();
+//    public @ResponseBody
-        // can be re-used
+//    AttackResult completed(@PathVariable String userId, HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
-        Map<String, Object> errorMap = new HashMap();
+//        List json = Lists.newArrayList();
-        errorMap.put("error","not logged in, go back and log in first");
+//        // can be re-used
-
+//        Map<String, Object> errorMap = new HashMap();
-        if (userSessionData.getValue("idor-authenticated-as") == null) {
+//        errorMap.put("error","not logged in, go back and log in first");
-            json.add(errorMap);
+//
-            return trackProgress(failed().feedback("idor.view.other.profile.failure1").build());
+//        if (userSessionData.getValue("idor-authenticated-as") == null) {
-        } else {
+//            json.add(errorMap);
-            if (userSessionData.getValue("idor-authenticated-as").equals("bill") || userSessionData.getValue("idor-authenticated-as").equals("tom")) {
+//            return trackProgress(failed().feedback("idor.view.other.profile.failure1").build());
-                System.out.println("**** authenticated as " + userSessionData.getValue("idor-authenticated-as"));
+//        } else {
-                //logged in
+//            if (userSessionData.getValue("idor-authenticated-as").equals("bill") || userSessionData.getValue("idor-authenticated-as").equals("tom")) {
-                String authUserId = (String)userSessionData.getValue("idor-authenticated-user-id");
+//                System.out.println("**** authenticated as " + userSessionData.getValue("idor-authenticated-as"));
-                //secure code would check to make sure authUserId matches userId or some similar access control
+//                //logged in
-                // ... and in this endpoint, we won't bother with that
+//                String authUserId = (String)userSessionData.getValue("idor-authenticated-user-id");
-                UserProfile userProfile = new UserProfile(userId);
+//                //secure code would check to make sure authUserId matches userId or some similar access control
-                return trackProgress(failed().feedback("idor.view.other.profile.failure2").build());
+//                // ... and in this endpoint, we won't bother with that
-            }
+//                UserProfile userProfile = new UserProfile(userId);
-        }
+//                return trackProgress(failed().feedback("idor.view.other.profile.failure2").build());
-        // else
+//            }
-        return trackProgress(failed().build());
+//        }
-    }
+//        // else
-
+//        return trackProgress(failed().build());
-
+//    }
-
+//
-
+//
-}
+//
+//
+//}

webgoat-lessons/idor/src/main/resources/html/IDOR.html

@@ -138,7 +138,7 @@
         <!-- modify the action to point to the intended endpoint -->
         <form class="attack-form" accept-charset="UNKNOWN" id="view-other"
               method="GET" name="view-other-profile"
-              action="/WebGoat/IDOR/profile"
+              action="/WebGoat/IDOR/profile/{userId}"
               enctype="application/json;charset=UTF-8">
             <script th:src="@{/lesson_js/idor.js}" />
 
@@ -163,7 +163,7 @@
         <!-- modify the action to point to the intended endpoint -->
         <form class="attack-form" accept-charset="UNKNOWN" id="edit-other"
               method="GET" name="edit-other-profile"
-              action="/WebGoat/IDOR/profile"
+              action="/WebGoat/IDOR/profile/{userId}"
               enctype="application/json;charset=UTF-8">
             <script th:src="@{/lesson_js/idor.js}" />
 

webgoat-lessons/idor/src/main/resources/i18n/WebGoatLabels.properties

@@ -1,7 +1,24 @@
 idor.title=Insecure Direct Object References
 
-idor.hints.idor_login=Log in first
+idor.hints.idor_login=Log in first. User Name is tom, password is cat.
 
+idor.hints.idorDiffAttributes1=Make sure you have logged in on the previous step/page
+idor.hints.idorDiffAttributes2=View the response using developer tools or a proxy.
+idor.hints.idorDiffAttributes3=The attributes are not visible and have nothing to do with size, color or name
+
+idor.hints.ownProfileAltUrl1=Look at the previous request for profile, this is similar
+idor.hints.ownProfileAltUrl2=You will need data from the previous request for your own profile
+idor.hints.ownProfileAltUrl3=Append your id to the previous request (i.e. .../profile/{yourId})
+
+idor.hints.otherProfile1=The default request here won't work at all, so you will need to manually craft the request or tamper it with a proxy
+idor.hints.otherProfile2=You will likely need to 'fuzz' to try different values for the userId at the end of the Url
+idor.hints.otherProfile3=Try incrementing the id value. It's not a simple +1, but it's also not too far off
+idor.hints.otherProfile4=For editing the other user's profile, you will need to use the proxy or manually craft the request again
+idor.hints.otherProfile5=To edit the other user's profile, you will use the same Url you did to view the other user's profile
+idor.hints.otherProfile6=To edit, You will need to change the method, what is the RESTful method  used for 'update' or 'edit'?
+idor.hints.otherProfile7=You will also need the body of the request (will look something like the profile)
+idor.hints.otherProfile8=The request should go to ... /WebGoat/IDOR/profile/{Buffalo Bills Id}
+idor.hints.otherProfile9={\"role\" : 1,\"color\" : \"red\",\"size\" : \"small\",\"name\" : \"Tom Cat\",\"userId\" : \"2342388\"}
 
 idor.diff.attributes.missing=You did not list two attributes, comma delimited
 idor.diff.success=Correct, the two attributes not displayed are userId & role. Keep those in mind