added int test for IDOR and fixed green button issue (#801)

webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java

@@ -31,7 +31,7 @@ import org.springframework.web.bind.annotation.*;
 @AssignmentHints({"idor.hints.idorDiffAttributes1", "idor.hints.idorDiffAttributes2", "idor.hints.idorDiffAttributes3"})
 public class IDORDiffAttributes extends AssignmentEndpoint {
 
-    @PostMapping("IDOR/diff-attributes")
+    @PostMapping("/IDOR/diff-attributes")
     @ResponseBody
     public AttackResult completed(@RequestParam String attributes) {
         attributes = attributes.trim();

webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDOREditOtherProfiile.java

@@ -36,7 +36,7 @@ public class IDOREditOtherProfiile extends AssignmentEndpoint {
     @Autowired
     private UserSessionData userSessionData;
 
-    @PutMapping(path = "IDOR/profile/{userId}", consumes = "application/json")
+    @PutMapping(path = "/IDOR/profile/{userId}", consumes = "application/json")
     @ResponseBody
     public AttackResult completed(@PathVariable("userId") String userId, @RequestBody UserProfile userSubmittedProfile) {
 

webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORViewOtherProfile.java

@@ -43,7 +43,7 @@ public class IDORViewOtherProfile extends AssignmentEndpoint {
     @Autowired
     UserSessionData userSessionData;
 
-    @GetMapping(path = "IDOR/profile/{userId}", produces = {"application/json"})
+    @GetMapping(path = "/IDOR/profile/{userId}", produces = {"application/json"})
     @ResponseBody
     public AttackResult completed(@PathVariable("userId") String userId, HttpServletResponse resp) {
         Map<String, Object> details = new HashMap<>();

webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORViewOwnProfile.java

@@ -39,7 +39,7 @@ public class IDORViewOwnProfile {
     @Autowired
     UserSessionData userSessionData;
 
-    @GetMapping(path = {"IDOR/own", "IDOR/profile"}, produces = {"application/json"})
+    @GetMapping(path = {"/IDOR/own", "/IDOR/profile"}, produces = {"application/json"})
     @ResponseBody
     public Map<String, Object> invoke() {
         Map<String,Object> details = new HashMap<>();

webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORViewOwnProfileAltUrl.java

@@ -37,7 +37,7 @@ public class IDORViewOwnProfileAltUrl extends AssignmentEndpoint {
     @Autowired
     UserSessionData userSessionData;
 
-    @PostMapping("IDOR/profile/alt-path")
+    @PostMapping("/IDOR/profile/alt-path")
     @ResponseBody
     public AttackResult completed(@RequestParam String url) {
         try {

webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/ViewOtherUserProfile.java

@@ -1,66 +0,0 @@
-//package org.owasp.webgoat.plugin;
-//
-//import com.google.common.collect.Lists;
-//import org.owasp.webgoat.assignments.AssignmentEndpoint;
-//import org.owasp.webgoat.assignments.AssignmentHints;
-//import org.owasp.webgoat.assignments.AssignmentPath;
-//import org.owasp.webgoat.assignments.AttackResult;
-//import org.owasp.webgoat.session.UserSessionData;
-//import org.springframework.beans.factory.annotation.Autowired;
-//import org.springframework.web.bind.annotation.PathVariable;
-//import org.springframework.web.bind.annotation.RequestMapping;
-//import org.springframework.web.bind.annotation.ResponseBody;
-//
-//import javax.servlet.ServletException;
-//import javax.servlet.http.HttpServletRequest;
-//import javax.servlet.http.HttpServletResponse;
-//import java.io.IOException;
-//import java.util.HashMap;
-//import java.util.List;
-//import java.util.Map;
-//
-///**
-// * Created by jason on 1/5/17.
-// */
-//
-//@AssignmentPath("/IDOR/viewprofile/{id}")
-//@AssignmentHints({"idor.hints.otherProfile1","idor.hints.otherProfile2","idor.hints.otherProfile3"})
-//public class ViewOtherUserProfile extends AssignmentEndpoint {
-//
-//    private String color;
-//    private String size;
-//    private boolean isAdmin;
-//
-//    @Autowired
-//    UserSessionData userSessionData;
-//
-//    @RequestMapping(produces = {"application/json"})
-//    public @ResponseBody
-//    AttackResult completed(@PathVariable String userId, HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
-//        List json = Lists.newArrayList();
-//        // can be re-used
-//        Map<String, Object> errorMap = new HashMap();
-//        errorMap.put("error","not logged in, go back and log in first");
-//
-//        if (userSessionData.getValue("idor-authenticated-as") == null) {
-//            json.add(errorMap);
-//            return trackProgress(failed().feedback("idor.view.other.profile.failure1").build());
-//        } else {
-//            if (userSessionData.getValue("idor-authenticated-as").equals("bill") || userSessionData.getValue("idor-authenticated-as").equals("tom")) {
-//                System.out.println("**** authenticated as " + userSessionData.getValue("idor-authenticated-as"));
-//                //logged in
-//                String authUserId = (String)userSessionData.getValue("idor-authenticated-user-id");
-//                //secure code would check to make sure authUserId matches userId or some similar access control
-//                // ... and in this endpoint, we won't bother with that
-//                UserProfile userProfile = new UserProfile(userId);
-//                return trackProgress(failed().feedback("idor.view.other.profile.failure2").build());
-//            }
-//        }
-//        // else
-//        return trackProgress(failed().build());
-//    }
-//
-//
-//
-//
-//}

webgoat-lessons/idor/src/main/resources/html/IDOR.html

@@ -47,7 +47,7 @@
     <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
     which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
     <div class="adoc-content" th:replace="doc:IDOR_viewDiffs.adoc"></div>
-    <div class="attack-container">
+    <div class="nonattack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
         <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
@@ -124,7 +124,7 @@
     <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
     which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
     <div class="adoc-content" th:replace="doc:IDOR_viewOtherProfile.adoc"></div>
-    <div class="attack-container">
+    <div class="nonattack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
         <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
@@ -161,7 +161,7 @@
               action="/WebGoat/IDOR/profile/{userId}">
             <script th:src="@{/lesson_js/idor.js}" />
 
-            <input name="View Profile" value="View Profile" type="submit" />
+            <input name="Edit Profile" value="Edit Profile" type="submit" />
 
         </form>
         <!-- do not remove the two following div's, this is where your feedback/output will land -->