add int test for acl

2020-05-01 08:55:11 +02:00 · 2020-05-01 08:55:11 +02:00 · f4838e1233
commit f4838e1233
parent 70771ee854
2 changed files with 55 additions and 1 deletions
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/AccessControlTest.java
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/AccessControlTest.java
@ -0,0 +1,54 @@
 package org.owasp.webgoat;
 import java.util.HashMap;
 import java.util.Map;
 import org.junit.jupiter.api.Test;
 import io.restassured.RestAssured;
 import io.restassured.http.ContentType;
 import lombok.Data;
 public class AccessControlTest extends IntegrationTest {
 	@Test
    public void testLesson() {
    	startLesson("MissingFunctionAC");      
    	Map<String, Object> params = new HashMap<>();
        params.clear();
        params.put("hiddenMenu1", "Users");
        params.put("hiddenMenu2", "Config");
        checkAssignment(url("/WebGoat/access-control/hidden-menu"), params, true);
        String userHash = 
                RestAssured.given()
                        .when()
                        .relaxedHTTPSValidation()
                        .cookie("JSESSIONID", getWebGoatCookie())
                        .contentType(ContentType.JSON) 
                        .get(url("/WebGoat/users"))
                        .then()
                        .statusCode(200)
                        .extract()
                        .jsonPath()
                        .get("find { it.username == \"" + getWebgoatUser() + "\" }.userHash");
    	params.clear();
       	params.put("userHash", userHash);
        checkAssignment(url("/WebGoat/access-control/user-hash"), params, true);
        checkResults("/access-control");        
    }
 	@Data
    public class Item {
        private String username;
        private boolean admin;
        private String userHash;
    }
 }
--- a/webgoat-lessons/idor/src/main/resources/html/IDOR.html
+++ b/webgoat-lessons/idor/src/main/resources/html/IDOR.html
@ -161,7 +161,7 @@
              action="/WebGoat/IDOR/profile/{userId}">
            <script th:src="@{/lesson_js/idor.js}" />
-            <input name="Edit Profile" value="Edit Profile" type="submit" />
+            <input name="View Profile" value="View Profile" type="submit" />
        </form>
        <!-- do not remove the two following div's, this is where your feedback/output will land -->