#304 incremental addition for IDOR, still experiencing 400 with PUT method

2017-01-09 14:02:00 -05:00
parent fe4f568fc0
commit 4e9b30d7f6
11 changed files with 259 additions and 28 deletions
--- a/webgoat-lessons/idor/src/main/resources/plugin/IDOR/html/IDOR.html
+++ b/webgoat-lessons/idor/src/main/resources/plugin/IDOR/html/IDOR.html
@ -131,7 +131,7 @@
    <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
    <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
    which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-    <div class="adoc-content" th:replace="doc:IDOR_eidtOwn.adoc"></div>
+    <div class="adoc-content" th:replace="doc:IDOR_viewOtherProfile.adoc"></div>
    <div class="attack-container">
        <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
        <div>
@ -140,13 +140,13 @@
            <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->

            <!-- modify the action to point to the intended endpoint -->
-            <form class="attack-form" accept-charset="UNKNOWN"
-                  method="GET" name="form"
+            <form class="attack-form" accept-charset="UNKNOWN" id="view-other"
+                  method="GET" name="view-other-profile"
                  action="/WebGoat/IDOR/profile"
                  enctype="application/json;charset=UTF-8">
                <script th:src="@{/plugin_lessons/plugin/IDOR/js/idor.js}" />

-                <input name="View Profile" value="View Profile" type="button" onclick="onViewProfile();" />
+                <input name="View Profile" value="View Profile" type="submit" />

            </form>
        </div>
@ -155,6 +155,32 @@
        <div class="attack-output"></div>
        <!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
    </div>
+
+    <div class="adoc-content" th:replace="doc:IDOR_editOtherProfile.adoc"></div>
+    <div class="attack-container">
+        <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
+        <div>
+            <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
+            <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
+            <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
+
+            <!-- modify the action to point to the intended endpoint -->
+            <form class="attack-form" accept-charset="UNKNOWN" id="edit-other"
+                  method="GET" name="edit-other-profile"
+                  action="/WebGoat/IDOR/profile"
+                  enctype="application/json;charset=UTF-8">
+                <script th:src="@{/plugin_lessons/plugin/IDOR/js/idor.js}" />
+
+                <input name="View Profile" value="View Profile" type="submit" />
+
+            </form>
+        </div>
+        <!-- do not remove the two following div's, this is where your feedback/output will land -->
+        <div class="attack-feedback"></div>
+        <div class="attack-output"></div>
+        <!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
+    </div>
+
 </div>

 <div class="lesson-page-wrapper">
--- a/webgoat-lessons/idor/src/main/resources/plugin/IDOR/lessonPlans/en/IDOR_editOtherProfile.adoc
+++ b/webgoat-lessons/idor/src/main/resources/plugin/IDOR/lessonPlans/en/IDOR_editOtherProfile.adoc
@ -0,0 +1,8 @@
+==== Edit Another Profile
+
+Older apps may follow different patterns, but RESTful apps (which is what's going on here) often just change methods (and include a body or not)
+to perform different functions.
+
+Use that knowledge to take the same base request, change its method, path and body (payload) to modify another user's (Buffalo Bill's) profile.
+Change the role to something lower (since higher privilege roles and users are ususally lower numbers). Also change modify the
+user's color to 'red'.
--- a/webgoat-lessons/idor/src/main/resources/plugin/IDOR/lessonPlans/en/IDOR_intro.adoc
+++ b/webgoat-lessons/idor/src/main/resources/plugin/IDOR/lessonPlans/en/IDOR_intro.adoc
@ -19,7 +19,8 @@ POST, PUT, DELETE or other methods are also potentially succeptible and mainly o

 == *Insecure* Direct Object References

-These are considered insecure when the reference is not properly handled and allows for authorization bypasses.
+These are considered insecure when the reference is not properly handled and allows for authorization bypasses or disclose private data that could be used to
+perform opreations or access data that the user should not be able to perform or access.
 Let's say that as a user, you go to view your profile and the URL looks something like:

 `https://some.company.tld/app/user/23398`
--- a/webgoat-lessons/idor/src/main/resources/plugin/IDOR/lessonPlans/en/IDOR_viewOtherProfile.adoc
+++ b/webgoat-lessons/idor/src/main/resources/plugin/IDOR/lessonPlans/en/IDOR_viewOtherProfile.adoc
@ -0,0 +1,7 @@
+=== Playing with the Patterns
+
+==== View Another Profile
+
+View someone else's profile by using the alternate path you already used to view your own profile. Use the 'View Profile' button
+and intercept/modify the request to view another profile. Alternatively, you may also just be able to use a manual GET request with
+your browser.