search

lnln1111 / webgoat

Automatically exported from code.google.com/p/webgoat
0 stars 0 forks source link

Can't see other users message in CSRF lesson #30

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Download WebGoat-OWASP_Standard-5.2.zip from
http://sourceforge.net/projects/owasp/files/WebGoat/
<
https://mail.zhwin.ch/exchweb/bin/redir.asp?URL=http://sourceforge.net/projects/
owasp/files/WebGoat/
>
2. unzip to /opt/
3. I add two new users in /opt/WebGoat-5.2/tomcat/conf/tomcat-users.xml
<user username="group-01" password="passwd1" roles="webgoat_user"/>
<user username="group-02" password="passwd2" roles="webgoat_user"/>
4. I do the webgoat.sh modification (Java version fix)
5. I start WebGoat (./webgoat.sh start80) without any errors or warnings
6. I login into http://localhost/WebGoat/attack with group-01/passwd1
and press start Button
7. I use another browser and login with group-02/passwd2 and press start
Button
8. I go to "How to Perform Cross Site Request Forgery (CSRF)" and post a
message
9. I change into the first browser and go to the same lesson

But then I can't see the messages from group-01.

What is the expected output? What do you see instead?
It should show all other messages from users with names "group-" and
anything after it. When I click on show Java (CSRF.java) there is a comment
on lines 174-177:

174              // edit by Chuck Willis - Added logic to associate similar
usernames
175              // The idea is that users chuck-1, chuck-2, etc will see
each other's messages
176              // but not anyone elses. This allows users to try out XSS
to grab another user's
177              // cookies, but not get confused by other users scripts 

What version of the product are you using? On what operating system?

WebGoat-OWASP_Standard-5.2.zip
Ubuntu 9.04

Please provide any additional information below.

This bug was posted on the mailing list.

It worked in older releases (5.0-rc1). 

The tomcat output looks normal except some errors dropping
databases/tables after login:

Successful connection to database
Error dropping user database
Error dropping user_login table
Error dropping user admin database
Error dropping product database
Error dropping message database
Error: unable to drop employee table
Error: unable to drop roles
Error: unable to drop auth
Error: unable to drop ownership
Error dropping weather database
Error dropping user database
Error dropping tan database
Success: creating tables.

But I don't thinkt that's the issue.

Original issue reported on code.google.com by Ozwo...@gmail.com on 14 Oct 2009 at 5:45

GoogleCodeExporter commented 9 years ago

Original comment by mayhe...@gmail.com on 24 Mar 2010 at 8:35

GoogleCodeExporter commented 9 years ago 
The getConnection() function was set to be specific by username and was 
preventing messages being passed between users. The database now connects using 
just the nameroot for this lesson. This will be working as soon as the release 
goes online.

Original comment by X71...@gmail.com on 10 Aug 2011 at 8:33

GoogleCodeExporter commented 9 years ago

Original comment by mayhe...@gmail.com on 23 Apr 2012 at 8:01