dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

insecure login lesson

Browse Source
This commit is contained in:
Michal Smolík 2017-06-02 16:30:19 +02:00 committed by Nanne Baars
parent 52a48df70c
commit 007cdaa0d8
10 changed files with 228 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
webgoat-lessons/insecure-login/pom.xml Executable file
View File

@ -0,0 +1,34 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<artifactId>insecure-login</artifactId>
<packaging>jar</packaging>
<parent>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>webgoat-lessons-parent</artifactId>
<version>8.0-SNAPSHOT</version>
</parent>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<version>4.1.3.RELEASE</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>${junit.version}</version>
<type>jar</type>
<scope>test</scope>
</dependency>
</dependencies>
</project>

63
webgoat-lessons/insecure-login/src/main/java/org/owasp/webgoat/plugin/InsecureLogin.java Executable file
View File

@ -0,0 +1,63 @@
package org.owasp.webgoat.plugin;
import com.beust.jcommander.internal.Lists;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.NewLesson;
import java.util.List;
/**
* ************************************************************************************************
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
* <p>
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
* <p>
* Getting Source ==============
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
* <p>
*
* @author WebGoat
* @version $Id: $Id
* @since October 12, 2016
*/
public class InsecureLogin extends NewLesson {
@Override
public Category getDefaultCategory() {
return Category.INSECURE_COMMUNICATION;
}
@Override
public List<String> getHints() {
return Lists.newArrayList();
}
@Override
public Integer getDefaultRanking() {
return 1;
}
@Override
public String getTitle() {
return "insecure-login.title";
}
@Override
public String getId() {
return "InsecureLogin";
}
}

59
webgoat-lessons/insecure-login/src/main/java/org/owasp/webgoat/plugin/InsecureLoginTask.java Executable file
View File

@ -0,0 +1,59 @@
package org.owasp.webgoat.plugin;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
/**
* *************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects.
*
* For details, please see http://webgoat.github.io
*
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
* @created October 28, 2003
*/
@AssignmentPath("/InsecureLogin/task")
public class InsecureLoginTask extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)
public
@ResponseBody
AttackResult completed(@RequestParam String username, @RequestParam String password) throws IOException {
if (username.toString().equals("CaptainJack") && password.toString().equals("BlackPearl")) {
return trackProgress(success().build());
}
return trackProgress(failed().build());
}
}

45
webgoat-lessons/insecure-login/src/main/resources/html/InsecureLogin.html Executable file
View File

@ -0,0 +1,45 @@
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:InsecureLogin_Intro.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<!-- stripped down without extra comments -->
<div class="adoc-content" th:replace="doc:InsecureLogin_Task.adoc"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<script th:src="@{/lesson_js/credentials.js}"
language="JavaScript"></script>
<form class="attack-form" accept-charset="UNKNOWN" name="task"
method="POST"
action="#attack/307/100"
enctype="application/json;charset=UTF-8">
<!---
<input type="hidden" value="" name="username" id="SecretUsername"/>
<input type="hidden" value="" name="password" id="SecretPassword"/>
<input type="button" value="Log in" onpress="submit_secret_credentials()"/>-->
<button onclick="submit_secret_credentials()">Log in</button>
</form>
<br></br>
<form class="attack-form" accept-charset="UNKNOWN" name="task"
method="POST"
action="/WebGoat/InsecureLogin/task"
enctype="application/json;charset=UTF-8">
<input type="text" value="" name="username" placeholder="username"/>
<input type="password" value="" name="password" placeholder="password" />
<input type="submit" value="Submit" />
</form>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
</html>

4
webgoat-lessons/insecure-login/src/main/resources/i18n/WebGoatLabels.properties Executable file
View File

@ -0,0 +1,4 @@
insecure-login.title=Insecure Login
insecure-login.intercept.success=Welcome, CaptainJack!
insecure-login.intercept.failure=Wrong username or password

6
webgoat-lessons/insecure-login/src/main/resources/js/credentials.js Executable file
View File

@ -0,0 +1,6 @@
function submit_secret_credentials() {
var xhttp = new XMLHttpRequest();
xhttp['open']('POST', '#attack/307/100', true);
//sending the request is obfuscated, to descourage js reading
var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
}

7
webgoat-lessons/insecure-login/src/main/resources/lessonPlans/en/InsecureLogin_Intro.adoc Executable file
View File

@ -0,0 +1,7 @@
== Concept
Encryption is a very inportant tool for secure communication. In this lesson, we will find out, why it should always be employed when sending sensitive data.
== Goals
* The user should have a basic understanding of packet sniffer usage
* The user will be able to intercept and read an unencrypted requests

4
webgoat-lessons/insecure-login/src/main/resources/lessonPlans/en/InsecureLogin_Task.adoc Executable file
View File

@ -0,0 +1,4 @@
=== Let's try
Click the "log in" button to send a request containing login credentials of another user.
Then, write these credentials into the appropriate fields and submit to confirm.
Try using a packet sniffer to intercept the request.

1
webgoat-lessons/pom.xml
View File

@ -19,6 +19,7 @@
<module>cross-site-scripting</module> <module>cross-site-scripting</module>
<module>http-basics</module> <module>http-basics</module>
<module>http-proxies</module> <module>http-proxies</module>
<module>insecure-login</module>
<module>jwt</module> <module>jwt</module>
<module>sql-injection</module> <module>sql-injection</module>
<module>xxe</module> <module>xxe</module>

5
webgoat-server/pom.xml
View File

@ -116,6 +116,11 @@
<artifactId>idor</artifactId> <artifactId>idor</artifactId>
<version>${project.version}</version> <version>${project.version}</version>
</dependency> </dependency>
<dependency>
<groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>insecure-login</artifactId>
<version>${project.version}</version>
</dependency>
<dependency> <dependency>
<groupId>org.owasp.webgoat.lesson</groupId> <groupId>org.owasp.webgoat.lesson</groupId>
<artifactId>jwt</artifactId> <artifactId>jwt</artifactId>