Have attacker rerun all requests, update xfail test

fuzz_lightyear/plugins/idor.py

@@ -34,13 +34,13 @@ def is_vulnerable(
         request_sequence: List[FuzzingRequest],
         response_sequence: List[Any],
     ) -> bool:
-        last_request = request_sequence[-1]
-        try:
-            last_request.send(
-                auth=get_abstraction().get_attacker_session(),  # type: ignore
-                should_log=False,
-            )
-
-            return True
-        except (HTTPError, SwaggerMappingError, ValidationError):
-            return False
+        for request in request_sequence:
+            try:
+                request.send(
+                    auth=get_abstraction().get_attacker_session(),  # type: ignore
+                    should_log=False,
+                )
+
+            except (HTTPError, SwaggerMappingError, ValidationError):
+                return False
+        return True

testing/vulnerable_app/views/sequence.py

@@ -61,25 +61,30 @@ def get(self):
         return number_query_parser.parse_args()['id']
 
 
-@ns.route('/side-effect/create')
+@ns.route('/side-effect/create/<int:id>')
 class CreateWithSideEffect(Resource):
     @api.doc(security='apikey')
     @api.response(200, 'Success', model=widget_model)
     @requires_user
-    def post(self, user):
-        user.has_created_resource = True
-        user.save()
+    def post(self, id, user):
 
         with database.connection() as session:
+            entry = session.query(Widget).filter(
+                Widget.id == id,
+            ).first()
+            if entry:
+                abort(500)
             entry = Widget()
+            entry.id = id
 
             session.add(entry)
             session.commit()
 
-            widget_id = entry.id
+        user.has_created_resource = True
+        user.save()
 
         return {
-            'id': widget_id,
+            'id': id,
         }