Create IDOR lesson #304

- Fix put mapping
2017-01-18 20:50:37 +01:00
parent 498c89c6c0
commit 6d727b98e3
2 changed files with 7 additions and 11 deletions
--- a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDOREditOtherProfiile.java
+++ b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDOREditOtherProfiile.java
@ -45,11 +45,12 @@ import java.util.Map;
@Path("IDOR/profile/{userId}")
 public class IDOREditOtherProfiile extends AssignmentEndpoint {

-    @Autowired UserSessionData userSessionData;
+    @Autowired
+    private UserSessionData userSessionData;

-    @RequestMapping(method = RequestMethod.PUT, consumes = "application/json")
+    @PutMapping(consumes = "application/json")
    public @ResponseBody
-    AttackResult completed(@PathVariable("userId") String userId, @RequestParam UserProfile userSubmittedProfile) {
+    AttackResult completed(@PathVariable("userId") String userId, @RequestBody UserProfile userSubmittedProfile) {

        String authUserId = (String)userSessionData.getValue("idor-authenticated-user-id");
        // this is where it starts ... accepting the user submitted ID and assuming it will be the same as the logged in userId and not checking for proper authorization
--- a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORLogin.java
+++ b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORLogin.java
@ -4,10 +4,7 @@ import org.owasp.webgoat.endpoints.AssignmentEndpoint;
 import org.owasp.webgoat.lessons.AttackResult;

 import org.owasp.webgoat.session.UserSessionData;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.*;

 import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.Path;
@ -66,10 +63,8 @@ public class IDORLogin extends AssignmentEndpoint {

    }

-    @RequestMapping(method = RequestMethod.POST)
-    public @ResponseBody
-    AttackResult completed(@RequestParam String username, @RequestParam String password, HttpServletRequest request) throws IOException {
-
+    @PostMapping
+    public @ResponseBody AttackResult completed(@RequestParam String username, @RequestParam String password) {
        initIDORInfo();
        UserSessionData userSessionData = getUserSessionData();