dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Create IDOR lesson #304

Browse Source 
- Fix put mapping
This commit is contained in:
Nanne Baars
2017-01-18 20:50:37 +01:00
parent 498c89c6c0
commit 6d727b98e3
2 changed files with 7 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDOREditOtherProfiile.java
View File

@ -45,11 +45,12 @@ import java.util.Map;
@Path("IDOR/profile/{userId}") @Path("IDOR/profile/{userId}")
public class IDOREditOtherProfiile extends AssignmentEndpoint { public class IDOREditOtherProfiile extends AssignmentEndpoint {
@Autowired UserSessionData userSessionData; @Autowired
private UserSessionData userSessionData;
@RequestMapping(method = RequestMethod.PUT, consumes = "application/json") @PutMapping(consumes = "application/json")
public @ResponseBody public @ResponseBody
AttackResult completed(@PathVariable("userId") String userId, @RequestParam UserProfile userSubmittedProfile) { AttackResult completed(@PathVariable("userId") String userId, @RequestBody UserProfile userSubmittedProfile) {
String authUserId = (String)userSessionData.getValue("idor-authenticated-user-id"); String authUserId = (String)userSessionData.getValue("idor-authenticated-user-id");
// this is where it starts ... accepting the user submitted ID and assuming it will be the same as the logged in userId and not checking for proper authorization // this is where it starts ... accepting the user submitted ID and assuming it will be the same as the logged in userId and not checking for proper authorization

11
webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORLogin.java
View File

@ -4,10 +4,7 @@ import org.owasp.webgoat.endpoints.AssignmentEndpoint;
import org.owasp.webgoat.lessons.AttackResult; import org.owasp.webgoat.lessons.AttackResult;
import org.owasp.webgoat.session.UserSessionData; import org.owasp.webgoat.session.UserSessionData;
import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.*;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Path; import javax.ws.rs.Path;
@ -66,10 +63,8 @@ public class IDORLogin extends AssignmentEndpoint {
} }
@RequestMapping(method = RequestMethod.POST) @PostMapping
public @ResponseBody public @ResponseBody AttackResult completed(@RequestParam String username, @RequestParam String password) {
AttackResult completed(@RequestParam String username, @RequestParam String password, HttpServletRequest request) throws IOException {
initIDORInfo(); initIDORInfo();
UserSessionData userSessionData = getUserSessionData(); UserSessionData userSessionData = getUserSessionData();