| @ -45,11 +45,12 @@ import java.util.Map; | ||||
| @Path("IDOR/profile/{userId}") | ||||
| public class IDOREditOtherProfiile extends AssignmentEndpoint { | ||||
|  | ||||
|     @Autowired UserSessionData userSessionData; | ||||
|     @Autowired | ||||
|     private UserSessionData userSessionData; | ||||
|  | ||||
|     @RequestMapping(method = RequestMethod.PUT, consumes = "application/json") | ||||
|     @PutMapping(consumes = "application/json") | ||||
|     public @ResponseBody | ||||
|     AttackResult completed(@PathVariable("userId") String userId, @RequestParam UserProfile userSubmittedProfile) { | ||||
|     AttackResult completed(@PathVariable("userId") String userId, @RequestBody UserProfile userSubmittedProfile) { | ||||
|  | ||||
|         String authUserId = (String)userSessionData.getValue("idor-authenticated-user-id"); | ||||
|         // this is where it starts ... accepting the user submitted ID and assuming it will be the same as the logged in userId and not checking for proper authorization | ||||
|  | ||||
| @ -4,10 +4,7 @@ import org.owasp.webgoat.endpoints.AssignmentEndpoint; | ||||
| import org.owasp.webgoat.lessons.AttackResult; | ||||
|  | ||||
| import org.owasp.webgoat.session.UserSessionData; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.RequestMethod; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.bind.annotation.*; | ||||
|  | ||||
| import javax.servlet.http.HttpServletRequest; | ||||
| import javax.ws.rs.Path; | ||||
| @ -66,10 +63,8 @@ public class IDORLogin extends AssignmentEndpoint { | ||||
|  | ||||
|     } | ||||
|  | ||||
|     @RequestMapping(method = RequestMethod.POST) | ||||
|     public @ResponseBody | ||||
|     AttackResult completed(@RequestParam String username, @RequestParam String password, HttpServletRequest request) throws IOException { | ||||
|  | ||||
|     @PostMapping | ||||
|     public @ResponseBody AttackResult completed(@RequestParam String username, @RequestParam String password) { | ||||
|         initIDORInfo(); | ||||
|         UserSessionData userSessionData = getUserSessionData(); | ||||
|  | ||||
|  | ||||
		Reference in New Issue
	
	Block a user