dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Create IDOR lesson #304

Browse Source 
- Fix put mapping
This commit is contained in:
Nanne Baars
2017-01-18 20:50:37 +01:00
parent 498c89c6c0
commit 6d727b98e3
2 changed files with 7 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDOREditOtherProfiile.java
View File

@ -45,11 +45,12 @@ import java.util.Map;
@Path("IDOR/profile/{userId}")
public class IDOREditOtherProfiile extends AssignmentEndpoint {
@Autowired UserSessionData userSessionData;
@Autowired
private UserSessionData userSessionData;
@RequestMapping(method = RequestMethod.PUT, consumes = "application/json")
@PutMapping(consumes = "application/json")
public @ResponseBody
AttackResult completed(@PathVariable("userId") String userId, @RequestParam UserProfile userSubmittedProfile) {
AttackResult completed(@PathVariable("userId") String userId, @RequestBody UserProfile userSubmittedProfile) {
String authUserId = (String)userSessionData.getValue("idor-authenticated-user-id");
// this is where it starts ... accepting the user submitted ID and assuming it will be the same as the logged in userId and not checking for proper authorization

11
webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORLogin.java
View File

@ -4,10 +4,7 @@ import org.owasp.webgoat.endpoints.AssignmentEndpoint;
import org.owasp.webgoat.lessons.AttackResult;
import org.owasp.webgoat.session.UserSessionData;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.*;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Path;
@ -66,10 +63,8 @@ public class IDORLogin extends AssignmentEndpoint {
}
@RequestMapping(method = RequestMethod.POST)
public @ResponseBody
AttackResult completed(@RequestParam String username, @RequestParam String password, HttpServletRequest request) throws IOException {
@PostMapping
public @ResponseBody AttackResult completed(@RequestParam String username, @RequestParam String password) {
initIDORInfo();
UserSessionData userSessionData = getUserSessionData();