diff --git a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SecurityQuestionAssignemnt.java b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SecurityQuestionAssignemnt.java
deleted file mode 100644
index 9a467e2cc..000000000
--- a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SecurityQuestionAssignemnt.java
+++ /dev/null
@@ -1,52 +0,0 @@
-package org.owasp.webgoat.plugin;
-
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AssignmentPath;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
-
-import java.util.HashMap;
-import java.util.Map;
-
-/**
- * Assignment for picking a good security question.
- * @author Tobias Melzer
- * @since 11.12.18
- */
-@AssignmentPath("/PasswordReset/SecurityQuestions")
-public class SecurityQuestionAssignemnt extends AssignmentEndpoint {
-
- private static Map<String, String> questions;
-
- static {
- questions = new HashMap<>();
- questions.put("What is your favorite animal?", "Bad: Can easily be guessed and can most likely be figured out through social media.");
- questions.put("In what year was your mother born?", "Bad: Can be easily guessed.");
- questions.put("What was the time you were born?", "Good: If you know the time you were born it is really good, because " +
- "it is hard to figure out through social media and the answer is not subject to change.");
- questions.put("What is the name of the person you first kissed?", "Fair: it is not a bad question, but friends and family may know and someone might figure it out through social media.");
- questions.put("What was the house number and street name you lived in as a child?", "Good: hard to guess and even close friends might not know the answer.");
- questions.put("In what town or city was your first full time job?", "Fair / Good: Might be easy to figure out if someone is on LinkedIn or posts a lot on social media");
- questions.put("In what city were you born?", "Fair: Might be hard to figure out for a person who does not know you, but not for a person that knows, did know you.");
- questions.put("What was the last name of your favorite teacher in grade three?", "Good/Fair: Most people would probably not know the answer to that, but if someone does its quite a good question.");
- questions.put("What is the name of a college/job you applied to but didn't attend?", "Good: Most people will probably no an answer to that and it is really hard to figure out, even for people close to you.");
- questions.put("What are the last 5 digits of your drivers license?", "Bad: Is subject to change, and the last digit of your driver license might follow a specific pattern. (For example your birthday.)");
- questions.put("What was your childhood nickname?", "Fair: if someone had a nickname they probably remember it, but not all people had one.");
- questions.put("Who was your childhood hero?", "Fair: If your childhood hero, was someone not obvious it can be quite good, but not everyone really had one and can remember it easily.");
- questions.put("On which wrist do you were your watch?", "Awful: Easy to guess.");
- questions.put("What is your favorite color?", "Bad: Can easily be guessed.");
- }
- @RequestMapping(method = RequestMethod.POST)
- public
- @ResponseBody
- AttackResult completed(@RequestParam String question) {
- String answer = questions.get(question);
- if(answer.startsWith("Good"))
- return success().output(answer).build();
- return failed().output(answer).build();
- }
-}
diff --git a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SecurityQuestionAssignment.java b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SecurityQuestionAssignment.java
new file mode 100644
index 000000000..cc823f45a
--- /dev/null
+++ b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SecurityQuestionAssignment.java
@@ -0,0 +1,54 @@
+package org.owasp.webgoat.plugin;
+
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * Assignment for picking a good security question.
+ * @author Tobias Melzer
+ * @since 11.12.18
+ */
+@AssignmentPath("/PasswordReset/SecurityQuestions")
+public class SecurityQuestionAssignment extends AssignmentEndpoint {
+
+ private static int triedQuestions = 0;
+
+ private static Map<String, String> questions;
+
+ static {
+ questions = new HashMap<>();
+ questions.put("What is your favorite animal?", "The answer can easily be guessed and figured out through social media.");
+ questions.put("In what year was your mother born?", "Can be easily guessed.");
+ questions.put("What was the time you were born?", "This may first seem like a good question, but you most likely dont know the exact time, so it might be hard to remember.");
+ questions.put("What is the name of the person you first kissed?", "Can be figured out through social media, or even guessed by trying the most common names.");
+ questions.put("What was the house number and street name you lived in as a child?", "Answer can be figured out through social media, or worse it might be your current address.");
+ questions.put("In what town or city was your first full time job?", "In times of LinkedIn and Facebook, the answer can be figured out quite easily.");
+ questions.put("In what city were you born?", "Easy to figure out through social media.");
+ questions.put("What was the last name of your favorite teacher in grade three?", "Most people would probably not know the answer to that.");
+ questions.put("What is the name of a college/job you applied to but didn't attend?", "It might not be easy to remember and an hacker could just try some company's/colleges in your area.");
+ questions.put("What are the last 5 digits of your drivers license?", "Is subject to change, and the last digit of your driver license might follow a specific pattern. (For example your birthday).");
+ questions.put("What was your childhood nickname?", "Not all people had a nickname.");
+ questions.put("Who was your childhood hero?", "Most Heroes we had as a child where quite obvious ones, like Superman for example.");
+ questions.put("On which wrist do you were your watch?", "There are only to possible real answers, so really easy to guess.");
+ questions.put("What is your favorite color?", "Can easily be guessed.");
+ }
+ @RequestMapping(method = RequestMethod.POST)
+ public
+ @ResponseBody
+ AttackResult completed(@RequestParam String question) {
+ triedQuestions+=1;
+ String answer = questions.get(question);
+ answer = "<b>" + answer + "</b>";
+ if(triedQuestions > 1)
+ return trackProgress(success().output(answer).build());
+ return failed().output(answer).build();
+ }
+}
diff --git a/webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html b/webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html
index 2d1e4be15..a0b34229e 100644
--- a/webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html
+++ b/webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html
@@ -139,6 +139,37 @@
</div>
</div>
+<div class="lesson-page-wrapper">
+ <div class="adoc-content" th:replace="doc:PasswordReset_SecurityQuestions.adoc"></div>
+ <div class="attack-container">
+ <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+ <form class="attack-form" accept-charset="UNKNOWN"
+ method="POST" name="form"
+ action="/WebGoat/PasswordReset/SecurityQuestions"
+ enctype="application/json;charset=UTF-8">
+ <select name="question">
+ <option>What is your favorite animal?</option>
+ <option>In what year was your mother born?</option>
+ <option>What was the time you were born?</option>
+ <option>What is the name of the person you first kissed?</option>
+ <option>What was the house number and street name you lived in as a child?</option>
+ <option>In what town or city was your first full time job?</option>
+ <option>In what city were you born?</option>
+ <option>On which wrist do you were your watch?</option>
+ <option>What was the last name of your favorite teacher in grade three?</option>
+ <option>What is the name of a college/job you applied to but didn't attend?</option>
+ <option>What are the last 5 digits of your drivers license?</option>
+ <option>What was your childhood nickname?</option>
+ <option>Who was your childhood hero?</option>
+ <option>What is your favorite color?</option>
+ </select>
+ <input name="Check Question" value="check" type="SUBMIT"/>
+ </form>
+ <br/>
+ <div class="attack-output"></div>
+ </div>
+</div>
+
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:PasswordReset_host_header.adoc"></div>
<div class="attack-container">
@@ -235,36 +266,4 @@
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:PasswordReset_mitigation.adoc"></div>
</div>
-
-<div class="lesson-page-wrapper">
- <div class="adoc-content" th:replace="doc:PasswordReset_SecurityQuestions.adoc"></div>
- <div class="attack-container">
- <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
- <form class="attack-form" accept-charset="UNKNOWN"
- method="POST" name="form"
- action="/WebGoat/PasswordReset/SecurityQuestions"
- enctype="application/json;charset=UTF-8">
- <select name="question">
- <option>What is your favorite animal?</option>
- <option>In what year was your mother born?</option>
- <option>What was the time you were born?</option>
- <option>What is the name of the person you first kissed?</option>
- <option>What was the house number and street name you lived in as a child?</option>
- <option>In what town or city was your first full time job?</option>
- <option>In what city were you born?</option>
- <option>On which wrist do you were your watch?</option>
- <option>What was the last name of your favorite teacher in grade three?</option>
- <option>What is the name of a college/job you applied to but didn't attend?</option>
- <option>What are the last 5 digits of your drivers license?</option>
- <option>What was your childhood nickname?</option>
- <option>Who was your childhood hero?</option>
- <option>What is your favorite color?</option>
- </select>
- <input name="Check Question" value="check" type="SUBMIT"/>
- </form>
- <br/>
- <div class="attack-feedback"></div>
- <div class="attack-output"></div>
- </div>
-</div>
</html>
\ No newline at end of file
diff --git a/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_SecurityQuestions.adoc b/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_SecurityQuestions.adoc
index 2c6d4ef7c..29f4483dd 100644
--- a/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_SecurityQuestions.adoc
+++ b/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_SecurityQuestions.adoc
@@ -1,17 +1,16 @@
-== Choosing a Security Question
+== The Problem with Security Questions
-We have already talked about Security questions a bit. A good security question should meet the following criteria:
+While Security Questions my at first seem like a good way for authentication of a user, they
+have some big problems.
-- Safe: The answer should not be easy to research or guess.
-- Stable: The answer should be stable, meaning that it is not subject to change.
-- Memorable: The answer should be easy to remember.
-- Simple: The question should be: precise, easy and consistent.
-- Many: The question should have many possible answers.
+The "perfect" Security Question should be hard to crack, but easy to remember. Also the answer needs to fixed,
+so the answer must not be subject to change.
-== Try It! Choosing a good security question.
+There are only a handful of questions which satisfy these criteria and practically none which apply to anybody.
-In this assignment your goal is to good security question from the dropdown list below.
-The Assignment is complete when you picked a security question which is considered good.
+If you have to pick a security question, we recommend not answering them truthfully.
-Note: Some may say that one question is better than another, so this list is a bit subjective.
- But you should not be having any problem differencing between the good and bad.
\ No newline at end of file
+To further elaborate on the matter, there is a small assignment for you: There is a list of some common security questions.
+if you choose one, it will show to you why the question you picked is not really as good as one may think.
+
+When you have looked at two questions the assignment will be marked as complete.
\ No newline at end of file