idor.title=Insecure Direct Object References idor.hints.idor_login=Log in first. User Name is tom, password is cat. idor.hints.idorDiffAttributes1=Make sure you have logged in on the previous step/page idor.hints.idorDiffAttributes2=View the response using developer tools or a proxy. idor.hints.idorDiffAttributes3=The attributes are not visible and have nothing to do with size, color or name idor.hints.ownProfileAltUrl1=Look at the previous request for profile, this is similar idor.hints.ownProfileAltUrl2=You will need data from the previous request for your own profile idor.hints.ownProfileAltUrl3=Append your id to the previous request (i.e. .../profile/{yourId}) idor.hints.otherProfile1=The default request here won't work at all, so you will need to manually craft the request or tamper it with a proxy idor.hints.otherProfile2=You will likely need to 'fuzz' to try different values for the userId at the end of the Url idor.hints.otherProfile3=Try incrementing the id value. It's not a simple +1, but it's also not too far off idor.hints.otherProfile4=For editing the other user's profile, you will need to use the proxy or manually craft the request again idor.hints.otherProfile5=To edit the other user's profile, you will use the same Url you did to view the other user's profile idor.hints.otherProfile6=To edit, You will need to change the method, what is the RESTful method used for 'update' or 'edit'? idor.hints.otherProfile7=You will also need the body of the request (will look something like the profile) idor.hints.otherProfile8=The request should go to ... /WebGoat/IDOR/profile/{Buffalo Bills Id} idor.hints.otherProfile9=Your payload should look something like ... {\"role\" : 1,\"color\" : \"red\",\"size\" : \"small\",\"name\" : \"Tom Cat\",\"userId\" : \"2342388\"} idor.diff.attributes.missing=You did not list two attributes, comma delimited idor.diff.success=Correct, the two attributes not displayed are userId & role. Keep those in mind idor.diff.failure=Try again. Look in your browser dev tools or Proxy and compare to what's displayed on the screen. idor.edit.profile.success1=Well done, you have modified someone else's profile (as displayed below) idor.edit.profile.success2=Good work! View the updated profile below idor.edit.profile.failure1=Close ... you've got the technique. Now try for a lower role number idor.edit.profile.failure2=Close ... you've got the technique. Now change the color in their profile to red. idor.edit.profile.failure3=Try again. Use the hints if you need to. idor.edit.profile.failure4=Modifying your own profile is good, but we want to do this to Buffalo Bill's profile. idor.login.success=You are now logged in as {0}. Please proceed. idor.login.failure=Credentials provided are not correct idor.view.profile.success=Well done, you found someone else's profile idor.view.profile.close1=You're on the right path, try a different id idor.view.profile.close2=Try again. You need to use the same method/URL you used to access your own profile via direct object reference. idor.view.own.profile.success=Congratulations, you have used the alternate Url/route to view your own profile. idor.view.own.profile.failure1=Please try again. The alternate route is very similar to the previous way you viewed your profile. Only one difference really idor.view.own.profile.failure2=You need to authenticate as tom first. idor.view.other.profile.failure1=You must authenticate first idor.view.other.profile.failure2=<>