From bd56ff684761ae64ef658abbad77bbf53b4eed9a Mon Sep 17 00:00:00 2001 From: mcsaez2 <93601854+mcsaez2@users.noreply.github.com> Date: Tue, 2 Nov 2021 16:44:38 -0400 Subject: [PATCH] Create 3031Test --- 3031Test | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 3031Test diff --git a/3031Test b/3031Test new file mode 100644 index 0000000000..da39a8c5ff --- /dev/null +++ b/3031Test @@ -0,0 +1,54 @@ +package org.owasp.webgoat; + + +import java.util.HashMap; +import java.util.Map; + +import org.junit.jupiter.api.Test; + +import io.restassured.RestAssured; +import io.restassured.http.ContentType; +import lombok.Data; + +public class AccessControlTest extends IntegrationTest { + + @Test + public void testLesson() { + startLesson("MissingFunctionAC"); + + Map params = new HashMap<>(); + params.clear(); + params.put("hiddenMenu1", "Users"); + params.put("hiddenMenu2", "Config"); + + + checkAssignment(url("/WebGoat/access-control/hidden-menu"), params, true); + String userHash = + RestAssured.given() + .when() + .relaxedHTTPSValidation() + .cookie("JSESSIONID", getWebGoatCookie()) + .contentType(ContentType.JSON) + .get(url("/WebGoat/users")) + .then() + .statusCode(200) + .extract() + .jsonPath() + .get("find { it.username == \"" + getWebgoatUser() + "\" }.userHash"); + + params.clear(); + params.put("userHash", userHash); + checkAssignment(url("/WebGoat/access-control/user-hash"), params, true); + + + checkResults("/access-control"); + } + + @Data + public class Item { + private String username; + private boolean admin; + private String userHash; + } + +}