46 lines
3.4 KiB
INI
46 lines
3.4 KiB
INI
idor.title=Insecure Direct Object References
|
|
|
|
idor.hints.idor_login=Log in first. User Name is tom, password is cat.
|
|
|
|
idor.hints.idorDiffAttributes1=Make sure you have logged in on the previous step/page
|
|
idor.hints.idorDiffAttributes2=View the response using developer tools or a proxy.
|
|
idor.hints.idorDiffAttributes3=The attributes are not visible and have nothing to do with size, color or name
|
|
|
|
idor.hints.ownProfileAltUrl1=Look at the previous request for profile, this is similar
|
|
idor.hints.ownProfileAltUrl2=You will need data from the previous request for your own profile
|
|
idor.hints.ownProfileAltUrl3=Append your id to the previous request (i.e. .../profile/{yourId})
|
|
|
|
idor.hints.otherProfile1=The default request here won't work at all, so you will need to manually craft the request or tamper it with a proxy
|
|
idor.hints.otherProfile2=You will likely need to 'fuzz' to try different values for the userId at the end of the Url
|
|
idor.hints.otherProfile3=Try incrementing the id value. It's not a simple +1, but it's also not too far off
|
|
idor.hints.otherProfile4=For editing the other user's profile, you will need to use the proxy or manually craft the request again
|
|
idor.hints.otherProfile5=To edit the other user's profile, you will use the same Url you did to view the other user's profile
|
|
idor.hints.otherProfile6=To edit, You will need to change the method, what is the RESTful method used for 'update' or 'edit'?
|
|
idor.hints.otherProfile7=You will also need the body of the request (will look something like the profile)
|
|
idor.hints.otherProfile8=The request should go to ... /WebGoat/IDOR/profile/{Buffalo Bills Id}
|
|
idor.hints.otherProfile9=Your payload should look something like ... {\"role\" : 1,\"color\" : \"red\",\"size\" : \"small\",\"name\" : \"Tom Cat\",\"userId\" : \"2342388\"}
|
|
|
|
idor.diff.attributes.missing=You did not list two attributes, comma delimited
|
|
idor.diff.success=Correct, the two attributes not displayed are userId & role. Keep those in mind
|
|
idor.diff.failure=Try again. Look in your browser dev tools or Proxy and compare to what's displayed on the screen.
|
|
|
|
idor.edit.profile.success1=Well done, you have modified someone else's profile (as displayed below)
|
|
idor.edit.profile.success2=Good work! View the updated profile below
|
|
idor.edit.profile.failure1=Close ... you've got the technique. Now try for a lower role number
|
|
idor.edit.profile.failure2=Close ... you've got the technique. Now change the color in their profile to red.
|
|
idor.edit.profile.failure3=Try again. Use the hints if you need to.
|
|
idor.edit.profile.failure4=Modifying your own profile is good, but we want to do this to Buffalo Bill's profile.
|
|
|
|
idor.login.success=You are now logged in as {0}. Please proceed.
|
|
idor.login.failure=Credentials provided are not correct
|
|
|
|
idor.view.profile.success=Well done, you found someone else's profile
|
|
idor.view.profile.close1=You're on the right path, try a different id
|
|
idor.view.profile.close2=Try again. You need to use the same method/URL you used to access your own profile via direct object reference.
|
|
|
|
idor.view.own.profile.success=Congratulations, you have used the alternate Url/route to view your own profile.
|
|
idor.view.own.profile.failure1=Please try again. The alternate route is very similar to the previous way you viewed your profile. Only one difference really
|
|
idor.view.own.profile.failure2=You need to authenticate as tom first.
|
|
|
|
idor.view.other.profile.failure1=You must authenticate first
|
|
idor.view.other.profile.failure2=<<still working>> |