IDOR hints updated
This commit is contained in:
Jason White
parent
89e2fc109c
commit
296723508b
@ -1,6 +1,7 @@
|
||||
package org.owasp.webgoat.plugin;
|
||||
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
@ -42,6 +43,7 @@ import java.io.IOException;
|
||||
*/
|
||||
|
||||
@AssignmentPath("IDOR/diff-attributes")
|
||||
@AssignmentHints({"idor.hints.idorDiffAttributes1","idor.hints.idorDiffAttributes2","idor.hints.idorDiffAttributes3"})
|
||||
public class IDORDiffAttributes extends AssignmentEndpoint {
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
|
||||
@ -1,6 +1,7 @@
|
||||
package org.owasp.webgoat.plugin;
|
||||
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.UserSessionData;
|
||||
@ -38,6 +39,7 @@ import org.springframework.web.bind.annotation.*;
|
||||
*/
|
||||
|
||||
@AssignmentPath("IDOR/profile/{userId}")
|
||||
@AssignmentHints({"idor.hints.otherProfile1","idor.hints.otherProfile2","idor.hints.otherProfile3","idor.hints.otherProfile4","idor.hints.otherProfile5","idor.hints.otherProfile6","idor.hints.otherProfile7","idor.hints.otherProfile8","idor.hints.otherProfile9"})
|
||||
public class IDOREditOtherProfiile extends AssignmentEndpoint {
|
||||
|
||||
@Autowired
|
||||
|
||||
@ -2,6 +2,7 @@ package org.owasp.webgoat.plugin;
|
||||
|
||||
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.UserSessionData;
|
||||
@ -46,6 +47,7 @@ import java.util.Map;
|
||||
*/
|
||||
|
||||
@AssignmentPath("IDOR/profile/{userId}")
|
||||
@AssignmentHints({"idor.hints.otherProfile1","idor.hints.otherProfile2","idor.hints.otherProfile3","idor.hints.otherProfile4","idor.hints.otherProfile5","idor.hints.otherProfile6","idor.hints.otherProfile7","idor.hints.otherProfile8","idor.hints.otherProfile9"})
|
||||
public class IDORViewOtherProfile extends AssignmentEndpoint{
|
||||
|
||||
@Autowired
|
||||
|
||||
@ -2,6 +2,7 @@ package org.owasp.webgoat.plugin;
|
||||
|
||||
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.UserSessionData;
|
||||
@ -46,6 +47,7 @@ import java.util.Map;
|
||||
*/
|
||||
|
||||
@AssignmentPath("IDOR/profile/alt-path")
|
||||
@AssignmentHints({"idor.hints.ownProfileAltUrl1","idor.hints.ownProfileAltUrl2","idor.hints.ownProfileAltUrl3"})
|
||||
public class IDORViewOwnProfileAltUrl extends AssignmentEndpoint{
|
||||
|
||||
@Autowired
|
||||
|
||||
@ -1,64 +1,66 @@
|
||||
package org.owasp.webgoat.plugin;
|
||||
|
||||
import com.google.common.collect.Lists;
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.UserSessionData;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.web.bind.annotation.PathVariable;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import java.io.IOException;
|
||||
import java.util.HashMap;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
|
||||
/**
|
||||
* Created by jason on 1/5/17.
|
||||
*/
|
||||
|
||||
@AssignmentPath("/IDOR/viewprofile/{id}")
|
||||
public class ViewOtherUserProfile extends AssignmentEndpoint {
|
||||
|
||||
private String color;
|
||||
private String size;
|
||||
private boolean isAdmin;
|
||||
|
||||
@Autowired
|
||||
UserSessionData userSessionData;
|
||||
|
||||
@RequestMapping(produces = {"application/json"})
|
||||
public @ResponseBody
|
||||
AttackResult completed(@PathVariable String userId, HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
|
||||
List json = Lists.newArrayList();
|
||||
// can be re-used
|
||||
Map<String, Object> errorMap = new HashMap();
|
||||
errorMap.put("error","not logged in, go back and log in first");
|
||||
|
||||
if (userSessionData.getValue("idor-authenticated-as") == null) {
|
||||
json.add(errorMap);
|
||||
return trackProgress(failed().feedback("idor.view.other.profile.failure1").build());
|
||||
} else {
|
||||
if (userSessionData.getValue("idor-authenticated-as").equals("bill") || userSessionData.getValue("idor-authenticated-as").equals("tom")) {
|
||||
System.out.println("**** authenticated as " + userSessionData.getValue("idor-authenticated-as"));
|
||||
//logged in
|
||||
String authUserId = (String)userSessionData.getValue("idor-authenticated-user-id");
|
||||
//secure code would check to make sure authUserId matches userId or some similar access control
|
||||
// ... and in this endpoint, we won't bother with that
|
||||
UserProfile userProfile = new UserProfile(userId);
|
||||
return trackProgress(failed().feedback("idor.view.other.profile.failure2").build());
|
||||
}
|
||||
}
|
||||
// else
|
||||
return trackProgress(failed().build());
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
}
|
||||
//package org.owasp.webgoat.plugin;
|
||||
//
|
||||
//import com.google.common.collect.Lists;
|
||||
//import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
//import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
//import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
//import org.owasp.webgoat.assignments.AttackResult;
|
||||
//import org.owasp.webgoat.session.UserSessionData;
|
||||
//import org.springframework.beans.factory.annotation.Autowired;
|
||||
//import org.springframework.web.bind.annotation.PathVariable;
|
||||
//import org.springframework.web.bind.annotation.RequestMapping;
|
||||
//import org.springframework.web.bind.annotation.ResponseBody;
|
||||
//
|
||||
//import javax.servlet.ServletException;
|
||||
//import javax.servlet.http.HttpServletRequest;
|
||||
//import javax.servlet.http.HttpServletResponse;
|
||||
//import java.io.IOException;
|
||||
//import java.util.HashMap;
|
||||
//import java.util.List;
|
||||
//import java.util.Map;
|
||||
//
|
||||
///**
|
||||
// * Created by jason on 1/5/17.
|
||||
// */
|
||||
//
|
||||
//@AssignmentPath("/IDOR/viewprofile/{id}")
|
||||
//@AssignmentHints({"idor.hints.otherProfile1","idor.hints.otherProfile2","idor.hints.otherProfile3"})
|
||||
//public class ViewOtherUserProfile extends AssignmentEndpoint {
|
||||
//
|
||||
// private String color;
|
||||
// private String size;
|
||||
// private boolean isAdmin;
|
||||
//
|
||||
// @Autowired
|
||||
// UserSessionData userSessionData;
|
||||
//
|
||||
// @RequestMapping(produces = {"application/json"})
|
||||
// public @ResponseBody
|
||||
// AttackResult completed(@PathVariable String userId, HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
|
||||
// List json = Lists.newArrayList();
|
||||
// // can be re-used
|
||||
// Map<String, Object> errorMap = new HashMap();
|
||||
// errorMap.put("error","not logged in, go back and log in first");
|
||||
//
|
||||
// if (userSessionData.getValue("idor-authenticated-as") == null) {
|
||||
// json.add(errorMap);
|
||||
// return trackProgress(failed().feedback("idor.view.other.profile.failure1").build());
|
||||
// } else {
|
||||
// if (userSessionData.getValue("idor-authenticated-as").equals("bill") || userSessionData.getValue("idor-authenticated-as").equals("tom")) {
|
||||
// System.out.println("**** authenticated as " + userSessionData.getValue("idor-authenticated-as"));
|
||||
// //logged in
|
||||
// String authUserId = (String)userSessionData.getValue("idor-authenticated-user-id");
|
||||
// //secure code would check to make sure authUserId matches userId or some similar access control
|
||||
// // ... and in this endpoint, we won't bother with that
|
||||
// UserProfile userProfile = new UserProfile(userId);
|
||||
// return trackProgress(failed().feedback("idor.view.other.profile.failure2").build());
|
||||
// }
|
||||
// }
|
||||
// // else
|
||||
// return trackProgress(failed().build());
|
||||
// }
|
||||
//
|
||||
//
|
||||
//
|
||||
//
|
||||
//}
|
||||
|
||||
@ -138,7 +138,7 @@
|
||||
<!-- modify the action to point to the intended endpoint -->
|
||||
<form class="attack-form" accept-charset="UNKNOWN" id="view-other"
|
||||
method="GET" name="view-other-profile"
|
||||
action="/WebGoat/IDOR/profile"
|
||||
action="/WebGoat/IDOR/profile/{userId}"
|
||||
enctype="application/json;charset=UTF-8">
|
||||
<script th:src="@{/lesson_js/idor.js}" />
|
||||
|
||||
@ -163,7 +163,7 @@
|
||||
<!-- modify the action to point to the intended endpoint -->
|
||||
<form class="attack-form" accept-charset="UNKNOWN" id="edit-other"
|
||||
method="GET" name="edit-other-profile"
|
||||
action="/WebGoat/IDOR/profile"
|
||||
action="/WebGoat/IDOR/profile/{userId}"
|
||||
enctype="application/json;charset=UTF-8">
|
||||
<script th:src="@{/lesson_js/idor.js}" />
|
||||
|
||||
|
||||
@ -1,7 +1,24 @@
|
||||
idor.title=Insecure Direct Object References
|
||||
|
||||
idor.hints.idor_login=Log in first
|
||||
idor.hints.idor_login=Log in first. User Name is tom, password is cat.
|
||||
|
||||
idor.hints.idorDiffAttributes1=Make sure you have logged in on the previous step/page
|
||||
idor.hints.idorDiffAttributes2=View the response using developer tools or a proxy.
|
||||
idor.hints.idorDiffAttributes3=The attributes are not visible and have nothing to do with size, color or name
|
||||
|
||||
idor.hints.ownProfileAltUrl1=Look at the previous request for profile, this is similar
|
||||
idor.hints.ownProfileAltUrl2=You will need data from the previous request for your own profile
|
||||
idor.hints.ownProfileAltUrl3=Append your id to the previous request (i.e. .../profile/{yourId})
|
||||
|
||||
idor.hints.otherProfile1=The default request here won't work at all, so you will need to manually craft the request or tamper it with a proxy
|
||||
idor.hints.otherProfile2=You will likely need to 'fuzz' to try different values for the userId at the end of the Url
|
||||
idor.hints.otherProfile3=Try incrementing the id value. It's not a simple +1, but it's also not too far off
|
||||
idor.hints.otherProfile4=For editing the other user's profile, you will need to use the proxy or manually craft the request again
|
||||
idor.hints.otherProfile5=To edit the other user's profile, you will use the same Url you did to view the other user's profile
|
||||
idor.hints.otherProfile6=To edit, You will need to change the method, what is the RESTful method used for 'update' or 'edit'?
|
||||
idor.hints.otherProfile7=You will also need the body of the request (will look something like the profile)
|
||||
idor.hints.otherProfile8=The request should go to ... /WebGoat/IDOR/profile/{Buffalo Bills Id}
|
||||
idor.hints.otherProfile9={\"role\" : 1,\"color\" : \"red\",\"size\" : \"small\",\"name\" : \"Tom Cat\",\"userId\" : \"2342388\"}
|
||||
|
||||
idor.diff.attributes.missing=You did not list two attributes, comma delimited
|
||||
idor.diff.success=Correct, the two attributes not displayed are userId & role. Keep those in mind
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user