XSS Lesson Modifications (#367)

* initial cut on XSS, need to add some tests still

* initial unit tests for assignment endpoints

* updating header comment license thingy

* comment, clean up

* Stubs for security unit test

* Additional Unit Testing

* isEncoded and isNotEncoded Unit Tests added

* http-proxies updates

* update for XXE solutions

* Work-around to handle special chars in action ... currently to be able to match {userId} in hint creation/assignment for IDOR

* IDOR hints updated

* mitigation content update

* mitigation content update ... 2

* Lesson Overview updates

* including restart lesson fix for lesson overview

webgoat-lessons/idor/src/main/resources/html/IDOR.html

@@ -138,7 +138,7 @@
         <!-- modify the action to point to the intended endpoint -->
         <form class="attack-form" accept-charset="UNKNOWN" id="view-other"
               method="GET" name="view-other-profile"
-              action="/WebGoat/IDOR/profile"
+              action="/WebGoat/IDOR/profile/{userId}"
               enctype="application/json;charset=UTF-8">
             <script th:src="@{/lesson_js/idor.js}" />
 
@@ -163,7 +163,7 @@
         <!-- modify the action to point to the intended endpoint -->
         <form class="attack-form" accept-charset="UNKNOWN" id="edit-other"
               method="GET" name="edit-other-profile"
-              action="/WebGoat/IDOR/profile"
+              action="/WebGoat/IDOR/profile/{userId}"
               enctype="application/json;charset=UTF-8">
             <script th:src="@{/lesson_js/idor.js}" />
 

webgoat-lessons/idor/src/main/resources/i18n/WebGoatLabels.properties

@@ -1,7 +1,24 @@
 idor.title=Insecure Direct Object References
 
-idor.hints.idor_login=Log in first
+idor.hints.idor_login=Log in first. User Name is tom, password is cat.
 
+idor.hints.idorDiffAttributes1=Make sure you have logged in on the previous step/page
+idor.hints.idorDiffAttributes2=View the response using developer tools or a proxy.
+idor.hints.idorDiffAttributes3=The attributes are not visible and have nothing to do with size, color or name
+
+idor.hints.ownProfileAltUrl1=Look at the previous request for profile, this is similar
+idor.hints.ownProfileAltUrl2=You will need data from the previous request for your own profile
+idor.hints.ownProfileAltUrl3=Append your id to the previous request (i.e. .../profile/{yourId})
+
+idor.hints.otherProfile1=The default request here won't work at all, so you will need to manually craft the request or tamper it with a proxy
+idor.hints.otherProfile2=You will likely need to 'fuzz' to try different values for the userId at the end of the Url
+idor.hints.otherProfile3=Try incrementing the id value. It's not a simple +1, but it's also not too far off
+idor.hints.otherProfile4=For editing the other user's profile, you will need to use the proxy or manually craft the request again
+idor.hints.otherProfile5=To edit the other user's profile, you will use the same Url you did to view the other user's profile
+idor.hints.otherProfile6=To edit, You will need to change the method, what is the RESTful method  used for 'update' or 'edit'?
+idor.hints.otherProfile7=You will also need the body of the request (will look something like the profile)
+idor.hints.otherProfile8=The request should go to ... /WebGoat/IDOR/profile/{Buffalo Bills Id}
+idor.hints.otherProfile9={\"role\" : 1,\"color\" : \"red\",\"size\" : \"small\",\"name\" : \"Tom Cat\",\"userId\" : \"2342388\"}
 
 idor.diff.attributes.missing=You did not list two attributes, comma delimited
 idor.diff.success=Correct, the two attributes not displayed are userId & role. Keep those in mind

webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_mitigation.adoc

@@ -1,10 +1,58 @@
 == Secure Object References
 
+=== Start with the end in mind
+Do you have your access control documented? If you don't, how can you enforce it?  Access control is defined
+by the business logic that guides the application and/or privacy and other laws.
+
+==== Horizontal and Vertical Access Control
+Often times we think of access control in terms of 'roles' (user, power-user, admin, etc.).
+However, as noted in the previous exercises, users with the same 'role' can access each other's data. This is
+horizontal access control.  Both should be enforced.
+
+.Access Control Matrix Example
+|===
+|Endpoint | Method | Description | Roles, Access Rules | Notes, Caveats
+
+| /profile
+| GET
+| view user profile
+| Logged in User, can only view their own role
+| Admin roles must use diff Url to view others' profiles (see below)
+
+| /profile/{id}
+| GET
+| view user profile of a given user
+| Logged in User can view their own profile by {id}, admins can also view
+| n/a
+
+| /profile/{id}
+| PUT
+| edit user profile. profile object submitted from client with request
+| Logged in User can edit their own profile by {id}, admins can also edit.
+| Admin edit must be logged
+|===
+
+==== Audit Access
+As displayed in the above example, your access control rules should include provisions of what access is logged.
+For example, if a super-user or admin can edit other's profiles ... That is something that should be logged. Other
+examples would include detected violations or attempts to violate access control mechanisms.
+
 === Using Indrect References
-In some cases, using an indirect reference may help. This of course may make the application harder to trouble shoot and may also affect performance.
+Not many applications employ it, but you can use *indirect* refrences. In this case you can run your references across a hahsing,
+encoding or other function on the server so that the id that the client sees is not the actual reference
+which the server handles.  This will reduce efficiency some (a common trade-off for security) and is still subject to being
+guessed, brute-forced or reverse engineered.
 
-=== Access Controls
-Since the root of 'Insecure' of IDOR's s really in controlling access to the objects referenced, the key to making them secure is implementing vertical and horizontal access control.
+This approach should not be the only protection used. It can be used as an additional layer. Your server must
+implement the logic of mapping client (indirect) to server (direct) references.
 
-==== Knowing How Things Should be Secured
+=== Access Control & APIs
+Many time, APIs or RESTFul endpoints rely on obscurity , a static 'key', or lack of imagination on the user's part to control access.
+Good options such as digitally signed JSON Web Tokens (https://jwt.io) are a good option for API authentication & access control using a
+combination of the claims and a digital/cryptographic signature to validate the consumer.  Other emerging standards such as
+Secure Token Binding promise a 'cryptographic state' for web services in the request headers ...
+https://tools.ietf.org/html/draft-ietf-tokbind-protocol-10
 
+https://tools.ietf.org/html/draft-ietf-tokbind-negotiation-05
+
+https://tools.ietf.org/html/draft-ietf-tokbind-https-06