+ * Copyright (c) 2002 - 20014 Bruce Mayhew + *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + *
+ * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + *
+ * Getting Source ============== + *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software + * projects. + *
+ * + * @author misfir3 + * @version $Id: $Id + * @since January 3, 2017 */ + @Path("IDOR/diff-attributes") public class IDORDiffAttributes extends AssignmentEndpoint { @@ -23,7 +50,7 @@ public class IDORDiffAttributes extends AssignmentEndpoint { attributes = attributes.trim(); String[] diffAttribs = attributes.split(","); if (diffAttribs.length < 2) { - return AttackResult.failed("You did not list two attributes string delimited"); + return AttackResult.failed("You did not list two attributes, comma delimited"); } if (diffAttribs[0].toLowerCase().trim().equals("userid") && diffAttribs[1].toLowerCase().trim().equals("role") || diffAttribs[1].toLowerCase().trim().equals("userid") && diffAttribs[0].toLowerCase().trim().equals("role")) { diff --git a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDOREditOwnProfiile.java b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDOREditOtherProfiile.java similarity index 58% rename from webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDOREditOwnProfiile.java rename to webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDOREditOtherProfiile.java index 64ee2b4aa..e63ef9de1 100644 --- a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDOREditOwnProfiile.java +++ b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDOREditOtherProfiile.java @@ -43,26 +43,42 @@ import java.util.Map; */ @Path("IDOR/profile/{userId}") -public class IDOREditOwnProfiile extends AssignmentEndpoint { +public class IDOREditOtherProfiile extends AssignmentEndpoint { @Autowired UserSessionData userSessionData; @RequestMapping(method = RequestMethod.PUT, consumes = "application/json") public @ResponseBody - AttackResult completed(@PathVariable("userId") String userId, @RequestParam UserProfile userSubmittedProfile, HttpServletRequest request) { + AttackResult completed(@PathVariable("userId") String userId, @RequestParam UserProfile userSubmittedProfile) { String authUserId = (String)userSessionData.getValue("idor-authenticated-user-id"); - UserProfile currentUserProfile = new UserProfile(authUserId); + // this is where it starts ... accepting the user submitted ID and assuming it will be the same as the logged in userId and not checking for proper authorization + // Certain roles can sometimes edit others' profiles, but we shouldn't just assume that and let everyone, right? + // Except that this is a vulnerable app ... so we will + UserProfile currentUserProfile = new UserProfile(userId); if (userSubmittedProfile.getUserId() != null && !userSubmittedProfile.getUserId().equals(authUserId)) { - return AttackResult.failed("Don't worry, we'll get to modifying someone else's profile, just modify your own for now."); - } else if (userSubmittedProfile.getUserId().equals(authUserId)) { - // this is commonly how vulnerable code will act ... updating w/out an authorization check + // let's get this started ... currentUserProfile.setColor(userSubmittedProfile.getColor()); currentUserProfile.setRole(userSubmittedProfile.getRole()); - // we will persist in the session object for now - userSessionData.setValue("idor-updated-own-profile",currentUserProfile); + // we will persist in the session object for now in case we want to refer back or use it later + userSessionData.setValue("idor-updated-other-profile",currentUserProfile); + if (currentUserProfile.getRole() <= 1 && currentUserProfile.getColor().toLowerCase().equals("red")) { + return trackProgress(AttackResult.success("Well done, you have modified someone else's profile (as displayed below)",currentUserProfile.profileToMap().toString())); + } + if (currentUserProfile.getRole() > 1 && currentUserProfile.getColor().toLowerCase().equals("red")) { + return trackProgress(AttackResult.success("Close ... you've got the technique. Now try for a lower role number)",currentUserProfile.profileToMap().toString())); + } + if (currentUserProfile.getRole() <= 1 && !currentUserProfile.getColor().toLowerCase().equals("red")) { + return trackProgress(AttackResult.success("Close ... you've got the technique. Now change the color in their profile to red.)",currentUserProfile.profileToMap().toString())); + } + + // else + return trackProgress(AttackResult.success("Try again. Use the hints if you need to.",currentUserProfile.profileToMap().toString())); + + } else if (userSubmittedProfile.getUserId().equals(authUserId)) { + return AttackResult.failed("Modifying your own profile is good, but we want to do this to Buffalo Bill's profile."); } if (currentUserProfile.getColor().equals("black") && currentUserProfile.getRole() <= 1 ) { diff --git a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORViewOtherProfile.java b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORViewOtherProfile.java new file mode 100644 index 000000000..8e0f469e0 --- /dev/null +++ b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORViewOtherProfile.java @@ -0,0 +1,82 @@ +package org.owasp.webgoat.plugin; + + +import org.owasp.webgoat.endpoints.AssignmentEndpoint; +import org.owasp.webgoat.endpoints.Endpoint; +import org.owasp.webgoat.lessons.AttackResult; +import org.owasp.webgoat.session.UserSessionData; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.web.bind.annotation.PathVariable; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; +import org.springframework.web.bind.annotation.ResponseBody; + +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.ws.rs.Path; +import java.io.IOException; +import java.util.HashMap; +import java.util.Map; + +/** + * ************************************************************************************************ + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + *
+ * Copyright (c) 2002 - 20014 Bruce Mayhew + *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + *
+ * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + *
+ * Getting Source ============== + *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software + * projects. + *
+ *
+ * @author misfir3
+ * @version $Id: $Id
+ * @since January 3, 2017
+ */
+
+@Path("IDOR/profile/{userId}")
+public class IDORViewOtherProfile extends AssignmentEndpoint{
+
+ @Autowired
+ UserSessionData userSessionData;
+
+ @RequestMapping(produces = {"application/json"}, method = RequestMethod.GET)
+ @ResponseBody
+ public AttackResult completed(@PathVariable("userId") String userId, HttpServletResponse resp) {
+ Map
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ *
+ *
+ * @author misfir3
+ * @version $Id: $Id
+ * @since January 3, 2017
*/
+
public class IDORViewOwnProfile extends Endpoint{
@Autowired
diff --git a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORViewOwnProfileAltUrl.java b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORViewOwnProfileAltUrl.java
index 72106141d..6edeca7c4 100644
--- a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORViewOwnProfileAltUrl.java
+++ b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORViewOwnProfileAltUrl.java
@@ -17,8 +17,35 @@ import java.util.HashMap;
import java.util.Map;
/**
- * Created by jason on 1/5/17.
+ * ************************************************************************************************
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ *
+ *
+ * @author misfir3
+ * @version $Id: $Id
+ * @since January 3, 2017
*/
+
@Path("IDOR/profile/alt-path")
public class IDORViewOwnProfileAltUrl extends AssignmentEndpoint{
@@ -37,12 +64,7 @@ public class IDORViewOwnProfileAltUrl extends AssignmentEndpoint{
String[] urlParts = url.split("/");
if (urlParts[0].equals("WebGoat") && urlParts[1].equals("IDOR") && urlParts[2].equals("profile") && urlParts[3].equals(authUserId)) {
UserProfile userProfile = new UserProfile(authUserId);
- details.put("userId", userProfile.getUserId());
- details.put("name", userProfile.getName());
- details.put("color", userProfile.getColor());
- details.put("size", userProfile.getSize());
- details.put("role", userProfile.getRole());
- return trackProgress(AttackResult.success("congratultions, you have used the alternate Url/route to view your own profile.",details.toString()));
+ return trackProgress(AttackResult.success("congratultions, you have used the alternate Url/route to view your own profile.",userProfile.profileToMap().toString()));
} else {
return trackProgress(AttackResult.failed("please try again. The alternoute route is very similar to the previous way you viewed your profile. Only one difference really"));
}
diff --git a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/UserProfile.java b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/UserProfile.java
index 1475a9b03..c145a9633 100644
--- a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/UserProfile.java
+++ b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/UserProfile.java
@@ -1,5 +1,8 @@
package org.owasp.webgoat.plugin;
+import java.util.HashMap;
+import java.util.Map;
+
/**
* Created by jason on 1/5/17.
*/
@@ -10,12 +13,10 @@ public class UserProfile {
private String size;
private boolean isAdmin;
private int role;
- // anyting else?
public UserProfile() {}
public UserProfile(String id) {
- this.userId = id;
setProfileFromId(id);
}
@@ -23,21 +24,35 @@ public class UserProfile {
private void setProfileFromId(String id) {
// emulate look up from database
if (id.equals("2342384")) {
+ this.userId = id;
this.color = "yellow";
this.name = "Tom Cat";
this.size = "small";
this.isAdmin = false;
this.role = 3;
} else if (id.equals("2342388")) {
+ this.userId = id;
this.color = "brown";
this.name = "Buffalo Bill";
this.size = "large";
this.isAdmin = false;
this.role = 3;
+ } else {
+ //not found
}
}
+ public Map
";
return "userId" + this.userId + htmlBreak +
diff --git a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/ViewOtherUserProfileEndpoint.java b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/ViewOtherUserProfile.java
similarity index 92%
rename from webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/ViewOtherUserProfileEndpoint.java
rename to webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/ViewOtherUserProfile.java
index eb289b505..447e885eb 100644
--- a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/ViewOtherUserProfileEndpoint.java
+++ b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/ViewOtherUserProfile.java
@@ -2,7 +2,6 @@ package org.owasp.webgoat.plugin;
import com.google.common.collect.Lists;
import org.owasp.webgoat.endpoints.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.Endpoint;
import org.owasp.webgoat.lessons.AttackResult;
import org.owasp.webgoat.session.UserSessionData;
import org.springframework.beans.factory.annotation.Autowired;
@@ -24,7 +23,7 @@ import java.util.Map;
*/
@Path("/IDOR/viewprofile/{id}")
-public class ViewOtherUserProfileEndpoint extends AssignmentEndpoint {
+public class ViewOtherUserProfile extends AssignmentEndpoint {
private String color;
private String size;
@@ -49,7 +48,8 @@ public class ViewOtherUserProfileEndpoint extends AssignmentEndpoint {
System.out.println("**** authenticated as " + userSessionData.getValue("idor-authenticated-as"));
//logged in
String authUserId = (String)userSessionData.getValue("idor-authenticated-user-id");
- //secure code would check to make sure authUserId matches userId ... and in this endpoint, we won't bother with that
+ //secure code would check to make sure authUserId matches userId or some similar access control
+ // ... and in this endpoint, we won't bother with that
UserProfile userProfile = new UserProfile(userId);
return trackProgress(AttackResult.failed("still working"));
}
diff --git a/webgoat-lessons/idor/src/main/resources/plugin/IDOR/html/IDOR.html b/webgoat-lessons/idor/src/main/resources/plugin/IDOR/html/IDOR.html
index 86fc57c0b..0796396bc 100644
--- a/webgoat-lessons/idor/src/main/resources/plugin/IDOR/html/IDOR.html
+++ b/webgoat-lessons/idor/src/main/resources/plugin/IDOR/html/IDOR.html
@@ -131,7 +131,7 @@
-
+