Improve uniqueness of menu item Id's #45

misfir3 · 2015-08-23T04:45:39Z

Would be better to operate ID-less and that may happen in a refactor of the MenuView later, but for now, need to improve uniqueness of menu item id's (e.g. we have two 'Stage 1: Stored XSS' lessons and the ID is made deterministically from the name (only) currently.

mayhew64 · 2015-08-23T12:24:08Z

We need to consider the ID-Less state and how that may or may not affect scanning tools.

span · 2015-10-21T17:03:14Z

I had a look at this and thought it should be possible to concatenate the lessonId with the stageId when generating the menu items. This would result in the stageId's looking like this for the given example:

LABDBCrossSiteScriptingXSS-Stage1StoredXSS
LABCrossSiteScripting-Stage1StoredXSS

Would that be sufficient for now? I could provide a commit and pull request if so.

misfir3 · 2015-10-22T14:27:21Z

Not everything has a stage, so that may be limited. Maybe better to prepend the category and/or use the ids (numerical) generated from the lessonMenu service. That's the short term. Longer term, I think I'd rather remove IDs out of the DOM on those menu items. That's a separate issue/effort though.

span · 2015-10-22T19:11:34Z

I completely agree on the long term. On the short term, I am still new to the code base of the application so I might have missed something obvious but here is my analysis of the possibilities at the moment.

The stage id's generated in LessonMenuService seems to not be unique for stages. The other possibly unique property is the link for a lesson. The link is a string consisting of some special chars and integers, for example #attack/152/900. Parsing this into a unique integer where what we really would like seems to be 152 and the prepend it somewhere seems messy to me.

There is also the cid on the category that could be used. It could be prepended to the lessonId and then concatenate the lessonId with the stageId. We need the lessonId since a category can have multiple stages with same "base id". The result would be something like this.

c88-Cross-SiteScriptingXSS
c88-LABDBCrossSiteScripting
c88-LABDBCrossSiteScripting-XSSStage1StoredXSS

I fint that prepending the category name that is used as the catId would make the id's very long although they would have good semantics.

Cross-SiteScriptingXSS
Cross-SiteScriptingXSS-LABDBCrossSiteScriptingXSS
Cross-SiteScriptingXSS-LABDBCrossSiteScriptingXSS-Stage1StoredXSS

I think I might be most fond of the catId - lessonId - stageId since it consistently uses what could be considered a parent id on the child.

The following commit uses simple concatenation to build the id's. If we do not like string building in this way a utility function could be created in GoatUtils instead with the delimiter defined as a constant or parameter.

…ebGoat#45

misfir3 · 2016-02-20T18:40:33Z

stale, closing

misfir3 added enhancement help wanted labels Aug 23, 2015

mayhew64 added the WebGoat-UI label Aug 23, 2015

span pushed a commit to span/WebGoat that referenced this issue Oct 22, 2015

Base menu id's on the parent id to get unique lesson and stage id's, W…

d24e10e

…ebGoat#45

misfir3 closed this as completed Feb 20, 2016

TortugaAttack pushed a commit to TortugaAttack/WebGoat that referenced this issue Aug 21, 2019

Fixed WebGoat#45 - multiple tracker for one user fixed

f0d1555

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Improve uniqueness of menu item Id's #45

Improve uniqueness of menu item Id's #45

misfir3 commented Aug 23, 2015

mayhew64 commented Aug 23, 2015

span commented Oct 21, 2015

misfir3 commented Oct 22, 2015

span commented Oct 22, 2015

misfir3 commented Feb 20, 2016

Improve uniqueness of menu item Id's #45

Improve uniqueness of menu item Id's #45

Comments

misfir3 commented Aug 23, 2015

mayhew64 commented Aug 23, 2015

span commented Oct 21, 2015

misfir3 commented Oct 22, 2015

span commented Oct 22, 2015

misfir3 commented Feb 20, 2016