From 3bc2e57c9c197047c17bf2c4b52b5c6f3c91cb53 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=80ngel=20Oll=C3=A9=20Bl=C3=A1zquez?= <angel@olleb.com>
Date: Sat, 26 Aug 2023 02:12:41 +0200
Subject: [PATCH] Fix NPE in IDOR lesson

---
 .../org/owasp/webgoat/lessons/idor/IDORViewOtherProfile.java   | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOtherProfile.java b/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOtherProfile.java
index 61d7cce19..aa84614c2 100644
--- a/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOtherProfile.java
+++ b/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOtherProfile.java
@@ -56,7 +56,8 @@ public class IDORViewOtherProfile extends AssignmentEndpoint {
   @ResponseBody
   public AttackResult completed(@PathVariable("userId") String userId, HttpServletResponse resp) {
 
-    if (userSessionData.getValue("idor-authenticated-as").equals("tom")) {
+    Object obj = userSessionData.getValue("idor-authenticated-as");
+    if (obj != null && obj.equals("tom")) {
       // going to use session auth to view this one
       String authUserId = (String) userSessionData.getValue("idor-authenticated-user-id");
       if (userId != null && !userId.equals(authUserId)) {