merging
This commit is contained in:
Nanne Baars
misfir3
@ -1,15 +1,14 @@
|
||||
package org.owasp.webgoat.plugin;
|
||||
|
||||
import org.owasp.webgoat.endpoints.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.endpoints.AssignmentPath;
|
||||
import org.owasp.webgoat.lessons.AttackResult;
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.ws.rs.Path;
|
||||
import java.io.IOException;
|
||||
|
||||
/**
|
||||
@ -51,13 +50,13 @@ public class IDORDiffAttributes extends AssignmentEndpoint {
|
||||
attributes = attributes.trim();
|
||||
String[] diffAttribs = attributes.split(",");
|
||||
if (diffAttribs.length < 2) {
|
||||
return AttackResult.failed("You did not list two attributes, comma delimited");
|
||||
return trackProgress(failed().feedback("idor.diff.attributes.missing").build());
|
||||
}
|
||||
if (diffAttribs[0].toLowerCase().trim().equals("userid") && diffAttribs[1].toLowerCase().trim().equals("role") ||
|
||||
diffAttribs[1].toLowerCase().trim().equals("userid") && diffAttribs[0].toLowerCase().trim().equals("role")) {
|
||||
return trackProgress(AttackResult.success("Correct, the two attributes not displayed are userId & role. Keep those in mind"));
|
||||
return trackProgress(success().feedback("idor.diff.success").build());
|
||||
} else {
|
||||
return trackProgress(AttackResult.failed("Try again. Look in your browser dev tools or Proxy and compare to what's displayed on the screen."));
|
||||
return trackProgress(failed().feedback("idor.diff.failure").build());
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -1,18 +1,12 @@
|
||||
package org.owasp.webgoat.plugin;
|
||||
|
||||
import org.owasp.webgoat.endpoints.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.endpoints.AssignmentPath;
|
||||
import org.owasp.webgoat.lessons.AttackResult;
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.UserSessionData;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.ws.rs.Path;
|
||||
import java.io.IOException;
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
|
||||
/**
|
||||
* ************************************************************************************************
|
||||
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
|
||||
@ -65,28 +59,42 @@ public class IDOREditOtherProfiile extends AssignmentEndpoint {
|
||||
// we will persist in the session object for now in case we want to refer back or use it later
|
||||
userSessionData.setValue("idor-updated-other-profile",currentUserProfile);
|
||||
if (currentUserProfile.getRole() <= 1 && currentUserProfile.getColor().toLowerCase().equals("red")) {
|
||||
return trackProgress(AttackResult.success("Well done, you have modified someone else's profile (as displayed below)",currentUserProfile.profileToMap().toString()));
|
||||
return trackProgress(success()
|
||||
.feedback("idor.edit.profile.success1")
|
||||
.output(currentUserProfile.profileToMap().toString())
|
||||
.build());
|
||||
}
|
||||
|
||||
if (currentUserProfile.getRole() > 1 && currentUserProfile.getColor().toLowerCase().equals("red")) {
|
||||
return trackProgress(AttackResult.success("Close ... you've got the technique. Now try for a lower role number)",currentUserProfile.profileToMap().toString()));
|
||||
return trackProgress(success()
|
||||
.feedback("idor.edit.profile.failure1")
|
||||
.output(currentUserProfile.profileToMap().toString())
|
||||
.build());
|
||||
}
|
||||
|
||||
if (currentUserProfile.getRole() <= 1 && !currentUserProfile.getColor().toLowerCase().equals("red")) {
|
||||
return trackProgress(AttackResult.success("Close ... you've got the technique. Now change the color in their profile to red.)",currentUserProfile.profileToMap().toString()));
|
||||
return trackProgress(success()
|
||||
.feedback("idor.edit.profile.failure2")
|
||||
.output(currentUserProfile.profileToMap().toString())
|
||||
.build());
|
||||
}
|
||||
|
||||
// else
|
||||
return trackProgress(AttackResult.success("Try again. Use the hints if you need to.",currentUserProfile.profileToMap().toString()));
|
||||
|
||||
return trackProgress(failed().
|
||||
feedback("idor.edit.profile.failure3")
|
||||
.output(currentUserProfile.profileToMap().toString())
|
||||
.build());
|
||||
} else if (userSubmittedProfile.getUserId().equals(authUserId)) {
|
||||
return AttackResult.failed("Modifying your own profile is good, but we want to do this to Buffalo Bill's profile.");
|
||||
return failed().feedback("idor.edit.profile.failure4").build();
|
||||
}
|
||||
|
||||
if (currentUserProfile.getColor().equals("black") && currentUserProfile.getRole() <= 1 ) {
|
||||
return trackProgress(AttackResult.success("Good work! View the updated profile below",userSessionData.getValue("idor-updated-own-profile").toString()));
|
||||
return trackProgress(success()
|
||||
.feedback("idor.edit.profile.success2")
|
||||
.output(userSessionData.getValue("idor-updated-own-profile").toString())
|
||||
.build());
|
||||
} else {
|
||||
return trackProgress(AttackResult.failed("Please try again. Use the hints if need be."));
|
||||
return trackProgress(failed().feedback("idor.edit.profile.failure3").build());
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@ -1,16 +1,13 @@
|
||||
package org.owasp.webgoat.plugin;
|
||||
|
||||
import org.owasp.webgoat.endpoints.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.endpoints.AssignmentHints;
|
||||
import org.owasp.webgoat.endpoints.AssignmentPath;
|
||||
import org.owasp.webgoat.lessons.AttackResult;
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
|
||||
import org.owasp.webgoat.session.UserSessionData;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.ws.rs.Path;
|
||||
import java.io.IOException;
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
|
||||
@ -67,9 +64,8 @@ public class IDORLogin extends AssignmentEndpoint {
|
||||
}
|
||||
|
||||
@PostMapping
|
||||
public
|
||||
@ResponseBody
|
||||
AttackResult completed(@RequestParam String username, @RequestParam String password) {
|
||||
public AttackResult completed(@RequestParam String username, @RequestParam String password) {
|
||||
initIDORInfo();
|
||||
UserSessionData userSessionData = getUserSessionData();
|
||||
|
||||
@ -77,12 +73,12 @@ public class IDORLogin extends AssignmentEndpoint {
|
||||
if ("tom".equals(username) && idorUserInfo.get("tom").get("password").equals(password)) {
|
||||
userSessionData.setValue("idor-authenticated-as", username);
|
||||
userSessionData.setValue("idor-authenticated-user-id", idorUserInfo.get(username).get("id"));
|
||||
return trackProgress(AttackResult.success("You are now logged in as " + username + ". Please proceed."));
|
||||
return trackProgress(success().feedback("idor.login.success").feedbackArgs(username).build());
|
||||
} else {
|
||||
return trackProgress(AttackResult.failed("credentials provided are not correct"));
|
||||
return trackProgress(failed().feedback("idor.login.failure").build());
|
||||
}
|
||||
} else {
|
||||
return trackProgress(AttackResult.failed("credentials provided are not correct"));
|
||||
return trackProgress(failed().feedback("idor.login.failure").build());
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -1,10 +1,9 @@
|
||||
package org.owasp.webgoat.plugin;
|
||||
|
||||
|
||||
import org.owasp.webgoat.endpoints.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.endpoints.AssignmentPath;
|
||||
import org.owasp.webgoat.endpoints.Endpoint;
|
||||
import org.owasp.webgoat.lessons.AttackResult;
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.UserSessionData;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.web.bind.annotation.PathVariable;
|
||||
@ -12,11 +11,7 @@ import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import javax.ws.rs.Path;
|
||||
import java.io.IOException;
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
|
||||
@ -69,15 +64,15 @@ public class IDORViewOtherProfile extends AssignmentEndpoint{
|
||||
UserProfile requestedProfile = new UserProfile(userId);
|
||||
// secure code would ensure there was a horizontal access control check prior to dishing up the requested profile
|
||||
if (requestedProfile.getUserId().equals("2342388")){
|
||||
return trackProgress(AttackResult.success("Well done, you found someone else's profile",requestedProfile.profileToMap().toString()));
|
||||
return trackProgress(success().feedback("idor.view.profile.success").output(requestedProfile.profileToMap().toString()).build());
|
||||
} else {
|
||||
return trackProgress((AttackResult.failed("You're on the right path, try a different id")));
|
||||
return trackProgress(failed().feedback("idor.view.profile.close1").build());
|
||||
}
|
||||
} else {
|
||||
return trackProgress((AttackResult.failed("Try again. You need to use the same method/URL you used to access your own profile via direct object reference.")));
|
||||
return trackProgress(failed().feedback("idor.view.profile.close2").build());
|
||||
}
|
||||
}
|
||||
return trackProgress((AttackResult.failed("Try again. ")));
|
||||
return trackProgress(failed().build());
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
package org.owasp.webgoat.plugin;
|
||||
|
||||
|
||||
import org.owasp.webgoat.endpoints.Endpoint;
|
||||
import org.owasp.webgoat.assignments.Endpoint;
|
||||
import org.owasp.webgoat.session.UserSessionData;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
@ -12,12 +12,9 @@ import javax.servlet.ServletException;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import java.io.IOException;
|
||||
import com.google.common.collect.Lists;
|
||||
|
||||
import java.util.HashMap;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.Objects;
|
||||
|
||||
/**
|
||||
* ************************************************************************************************
|
||||
|
||||
@ -1,10 +1,9 @@
|
||||
package org.owasp.webgoat.plugin;
|
||||
|
||||
|
||||
import org.owasp.webgoat.endpoints.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.endpoints.AssignmentPath;
|
||||
import org.owasp.webgoat.endpoints.Endpoint;
|
||||
import org.owasp.webgoat.lessons.AttackResult;
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.UserSessionData;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
@ -65,17 +64,17 @@ public class IDORViewOwnProfileAltUrl extends AssignmentEndpoint{
|
||||
String[] urlParts = url.split("/");
|
||||
if (urlParts[0].equals("WebGoat") && urlParts[1].equals("IDOR") && urlParts[2].equals("profile") && urlParts[3].equals(authUserId)) {
|
||||
UserProfile userProfile = new UserProfile(authUserId);
|
||||
return trackProgress(AttackResult.success("congratultions, you have used the alternate Url/route to view your own profile.",userProfile.profileToMap().toString()));
|
||||
return trackProgress(success().feedback("idor.view.own.profile.success").output(userProfile.profileToMap().toString()).build());
|
||||
} else {
|
||||
return trackProgress(AttackResult.failed("please try again. The alternoute route is very similar to the previous way you viewed your profile. Only one difference really"));
|
||||
return trackProgress(failed().feedback("idor.view.own.profile.failure1").build());
|
||||
}
|
||||
|
||||
} else {
|
||||
return trackProgress(AttackResult.failed("You need to authenticate as tom first."));
|
||||
return trackProgress(failed().feedback("idor.view.own.profile.failure2").build());
|
||||
}
|
||||
} catch (Exception ex) {
|
||||
System.out.println(ex.getMessage());
|
||||
return AttackResult.failed("an error occurred with your request");
|
||||
return failed().feedback("an error occurred with your request").build();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -1,9 +1,9 @@
|
||||
package org.owasp.webgoat.plugin;
|
||||
|
||||
import com.google.common.collect.Lists;
|
||||
import org.owasp.webgoat.endpoints.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.endpoints.AssignmentPath;
|
||||
import org.owasp.webgoat.lessons.AttackResult;
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.UserSessionData;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.web.bind.annotation.PathVariable;
|
||||
@ -13,7 +13,6 @@ import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import javax.ws.rs.Path;
|
||||
import java.io.IOException;
|
||||
import java.util.HashMap;
|
||||
import java.util.List;
|
||||
@ -43,7 +42,7 @@ public class ViewOtherUserProfile extends AssignmentEndpoint {
|
||||
|
||||
if (userSessionData.getValue("idor-authenticated-as") == null) {
|
||||
json.add(errorMap);
|
||||
return trackProgress(AttackResult.failed("You must authenticate first"));
|
||||
return trackProgress(failed().feedback("idor.view.other.profile.failure1").build());
|
||||
} else {
|
||||
if (userSessionData.getValue("idor-authenticated-as").equals("bill") || userSessionData.getValue("idor-authenticated-as").equals("tom")) {
|
||||
System.out.println("**** authenticated as " + userSessionData.getValue("idor-authenticated-as"));
|
||||
@ -52,11 +51,11 @@ public class ViewOtherUserProfile extends AssignmentEndpoint {
|
||||
//secure code would check to make sure authUserId matches userId or some similar access control
|
||||
// ... and in this endpoint, we won't bother with that
|
||||
UserProfile userProfile = new UserProfile(userId);
|
||||
return trackProgress(AttackResult.failed("still working"));
|
||||
return trackProgress(failed().feedback("idor.view.other.profile.failure2").build());
|
||||
}
|
||||
}
|
||||
// else
|
||||
return trackProgress(AttackResult.failed("fall back"));
|
||||
return trackProgress(failed().build());
|
||||
}
|
||||
|
||||
|
||||
|
||||
@ -1,3 +1,29 @@
|
||||
idor.title=Insecure Direct Object References
|
||||
|
||||
idor.hints.idor_login=Log in first
|
||||
|
||||
|
||||
idor.diff.attributes.missing=You did not list two attributes, comma delimited
|
||||
idor.diff.success=Correct, the two attributes not displayed are userId & role. Keep those in mind
|
||||
idor.diff.failure=Try again. Look in your browser dev tools or Proxy and compare to what's displayed on the screen.
|
||||
|
||||
idor.edit.profile.success1=Well done, you have modified someone else's profile (as displayed below)
|
||||
idor.edit.profile.success2=Good work! View the updated profile below
|
||||
idor.edit.profile.failure1=Close ... you've got the technique. Now try for a lower role number
|
||||
idor.edit.profile.failure2=Close ... you've got the technique. Now change the color in their profile to red.)
|
||||
idor.edit.profile.failure3=Try again. Use the hints if you need to.
|
||||
idor.edit.profile.failure4=Modifying your own profile is good, but we want to do this to Buffalo Bill's profile.
|
||||
|
||||
idor.login.success=You are now logged in as {0}. Please proceed.
|
||||
idor.login.failure=Credentials provided are not correct
|
||||
|
||||
idor.view.profile.success=Well done, you found someone else's profile
|
||||
idor.view.profile.close1=You're on the right path, try a different id
|
||||
idor.view.profile.close2=Try again. You need to use the same method/URL you used to access your own profile via direct object reference.
|
||||
|
||||
idor.view.own.profile.success=Congratulations, you have used the alternate Url/route to view your own profile.
|
||||
idor.view.own.profile.failure1=Please try again. The alternate route is very similar to the previous way you viewed your profile. Only one difference really
|
||||
idor.view.own.profile.failure2=You need to authenticate as tom first.
|
||||
|
||||
idor.view.other.profile.failure1=You must authenticate first
|
||||
idor.view.other.profile.failure2=<<still working>>
|
||||
Reference in New Issue
Block a user