add int test for acl
This commit is contained in:
René Zubcevic
Nanne Baars
parent
70771ee854
commit
f4838e1233
@ -0,0 +1,54 @@
|
||||
package org.owasp.webgoat;
|
||||
|
||||
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
|
||||
import org.junit.jupiter.api.Test;
|
||||
|
||||
import io.restassured.RestAssured;
|
||||
import io.restassured.http.ContentType;
|
||||
import lombok.Data;
|
||||
|
||||
public class AccessControlTest extends IntegrationTest {
|
||||
|
||||
@Test
|
||||
public void testLesson() {
|
||||
startLesson("MissingFunctionAC");
|
||||
|
||||
Map<String, Object> params = new HashMap<>();
|
||||
params.clear();
|
||||
params.put("hiddenMenu1", "Users");
|
||||
params.put("hiddenMenu2", "Config");
|
||||
|
||||
|
||||
checkAssignment(url("/WebGoat/access-control/hidden-menu"), params, true);
|
||||
String userHash =
|
||||
RestAssured.given()
|
||||
.when()
|
||||
.relaxedHTTPSValidation()
|
||||
.cookie("JSESSIONID", getWebGoatCookie())
|
||||
.contentType(ContentType.JSON)
|
||||
.get(url("/WebGoat/users"))
|
||||
.then()
|
||||
.statusCode(200)
|
||||
.extract()
|
||||
.jsonPath()
|
||||
.get("find { it.username == \"" + getWebgoatUser() + "\" }.userHash");
|
||||
|
||||
params.clear();
|
||||
params.put("userHash", userHash);
|
||||
checkAssignment(url("/WebGoat/access-control/user-hash"), params, true);
|
||||
|
||||
|
||||
checkResults("/access-control");
|
||||
}
|
||||
|
||||
@Data
|
||||
public class Item {
|
||||
private String username;
|
||||
private boolean admin;
|
||||
private String userHash;
|
||||
}
|
||||
|
||||
}
|
||||
@ -161,7 +161,7 @@
|
||||
action="/WebGoat/IDOR/profile/{userId}">
|
||||
<script th:src="@{/lesson_js/idor.js}" />
|
||||
|
||||
<input name="Edit Profile" value="Edit Profile" type="submit" />
|
||||
<input name="View Profile" value="View Profile" type="submit" />
|
||||
|
||||
</form>
|
||||
<!-- do not remove the two following div's, this is where your feedback/output will land -->
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user