dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

In CSRF-3 use POST instead of GET to prevent solving the assignment just by opening the URL in a new tab

Browse Source
This commit is contained in:
Matthias Grundmann 2019-07-12 17:25:05 +02:00
parent 27125acd22
commit 97f66545e0
No known key found for this signature in database
GPG Key ID: CF3BB4CEC9904593
2 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFGetFlag.java
View File

@ -27,7 +27,7 @@ public class CSRFGetFlag extends Endpoint {
@Autowired @Autowired
private PluginMessages pluginMessages; private PluginMessages pluginMessages;
@RequestMapping(produces = {"application/json"}, method = RequestMethod.GET) @RequestMapping(produces = {"application/json"}, method = RequestMethod.POST)
@ResponseBody @ResponseBody
public Map<String, Object> invoke(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { public Map<String, Object> invoke(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {

2
webgoat-lessons/csrf/src/main/resources/html/CSRF.html
View File

@ -14,7 +14,7 @@
<div class="adoc-content" th:replace="doc:CSRF_Get_Flag.adoc"></div> <div class="adoc-content" th:replace="doc:CSRF_Get_Flag.adoc"></div>
<form accept-charset="UNKNOWN" id="basic-csrf-get" <form accept-charset="UNKNOWN" id="basic-csrf-get"
method="GET" name="form1" method="POST" name="form1"
target="_blank" target="_blank"
successCallback="" successCallback=""
action="/WebGoat/csrf/basic-get-flag" action="/WebGoat/csrf/basic-get-flag"