From 0588daff9dbe00be59a0821b22ac1d8a7cf0fd26 Mon Sep 17 00:00:00 2001
From: Tobias-Melzer <tobias.melzer@study.hs-duesseldorf.de>
Date: Mon, 17 Dec 2018 00:14:34 +0100
Subject: [PATCH] Added Assignment for Security Questions.

---
 .../plugin/SecurityQuestionAssignemnt.java    | 52 ---------------
 .../plugin/SecurityQuestionAssignment.java    | 54 ++++++++++++++++
 .../main/resources/html/PasswordReset.html    | 63 +++++++++----------
 .../en/PasswordReset_SecurityQuestions.adoc   | 23 ++++---
 4 files changed, 96 insertions(+), 96 deletions(-)
 delete mode 100644 webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SecurityQuestionAssignemnt.java
 create mode 100644 webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SecurityQuestionAssignment.java

diff --git a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SecurityQuestionAssignemnt.java b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SecurityQuestionAssignemnt.java
deleted file mode 100644
index 9a467e2cc..000000000
--- a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SecurityQuestionAssignemnt.java
+++ /dev/null
@@ -1,52 +0,0 @@
-package org.owasp.webgoat.plugin;
-
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AssignmentPath;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
-
-import java.util.HashMap;
-import java.util.Map;
-
-/**
- * Assignment for picking a good security question.
- * @author Tobias Melzer
- * @since 11.12.18
- */
-@AssignmentPath("/PasswordReset/SecurityQuestions")
-public class SecurityQuestionAssignemnt extends AssignmentEndpoint {
-
-  private static Map<String, String> questions;
-
-  static {
-    questions = new HashMap<>();
-    questions.put("What is your favorite animal?", "Bad: Can easily be guessed and can most likely be figured out through social media.");
-    questions.put("In what year was your mother born?", "Bad: Can  be easily guessed.");
-    questions.put("What was the time you were born?", "Good: If you know the time you were born it is really good, because " +
-            "it is hard to figure out through social media and the answer is not subject to change.");
-    questions.put("What is the name of the person you first kissed?", "Fair: it is not a bad question, but friends and family may know and someone might figure it out through social media.");
-    questions.put("What was the house number and street name you lived in as a child?", "Good: hard to guess and even close friends might not know the answer.");
-    questions.put("In what town or city was your first full time job?", "Fair / Good: Might be easy to figure out if someone is on LinkedIn or posts a lot on social media");
-    questions.put("In what city were you born?", "Fair: Might be hard to figure out for a person who does not know you, but not for a person that knows, did know you.");
-    questions.put("What was the last name of your favorite teacher in grade three?", "Good/Fair: Most people would probably not know the answer to that, but if someone does its quite a good question.");
-    questions.put("What is the name of a college/job you applied to but didn't attend?", "Good: Most people will probably no an answer to that and it is really hard to figure out, even for people close to you.");
-    questions.put("What are the last 5 digits of your drivers license?", "Bad: Is subject to change, and the last digit of your driver license might follow a specific pattern. (For example your birthday.)");
-    questions.put("What was your childhood nickname?", "Fair: if someone had a nickname they probably remember it, but not all people had one.");
-    questions.put("Who was your childhood hero?", "Fair: If your childhood hero, was someone not obvious it can be quite good, but not everyone really had one and can remember it easily.");
-    questions.put("On which wrist do you were your watch?", "Awful: Easy to guess.");
-    questions.put("What is your favorite color?", "Bad: Can easily be guessed.");
-  }
-  @RequestMapping(method = RequestMethod.POST)
-  public
-  @ResponseBody
-  AttackResult completed(@RequestParam String question) {
-    String answer = questions.get(question);
-    if(answer.startsWith("Good"))
-      return success().output(answer).build();
-    return failed().output(answer).build();
-  }
-}
diff --git a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SecurityQuestionAssignment.java b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SecurityQuestionAssignment.java
new file mode 100644
index 000000000..cc823f45a
--- /dev/null
+++ b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SecurityQuestionAssignment.java
@@ -0,0 +1,54 @@
+package org.owasp.webgoat.plugin;
+
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * Assignment for picking a good security question.
+ * @author Tobias Melzer
+ * @since 11.12.18
+ */
+@AssignmentPath("/PasswordReset/SecurityQuestions")
+public class SecurityQuestionAssignment extends AssignmentEndpoint {
+
+  private static int triedQuestions = 0;
+
+  private static Map<String, String> questions;
+
+  static {
+    questions = new HashMap<>();
+    questions.put("What is your favorite animal?", "The answer can easily be guessed and figured out through social media.");
+    questions.put("In what year was your mother born?", "Can  be easily guessed.");
+    questions.put("What was the time you were born?", "This may first seem like a good question, but you most likely dont know the exact time, so it might be hard to remember.");
+    questions.put("What is the name of the person you first kissed?", "Can be figured out through social media, or even guessed by trying the most common names.");
+    questions.put("What was the house number and street name you lived in as a child?", "Answer can be figured out through social media, or worse it might be your current address.");
+    questions.put("In what town or city was your first full time job?", "In times of LinkedIn and Facebook, the answer can be figured out quite easily.");
+    questions.put("In what city were you born?", "Easy to figure out through social media.");
+    questions.put("What was the last name of your favorite teacher in grade three?", "Most people would probably not know the answer to that.");
+    questions.put("What is the name of a college/job you applied to but didn't attend?", "It might not be easy to remember and an hacker could just try some company's/colleges in your area.");
+    questions.put("What are the last 5 digits of your drivers license?", "Is subject to change, and the last digit of your driver license might follow a specific pattern. (For example your birthday).");
+    questions.put("What was your childhood nickname?", "Not all people had a nickname.");
+    questions.put("Who was your childhood hero?", "Most Heroes we had as a child where quite obvious ones, like Superman for example.");
+    questions.put("On which wrist do you were your watch?", "There are only to possible real answers, so really easy to guess.");
+    questions.put("What is your favorite color?", "Can easily be guessed.");
+  }
+  @RequestMapping(method = RequestMethod.POST)
+  public
+  @ResponseBody
+  AttackResult completed(@RequestParam String question) {
+    triedQuestions+=1;
+    String answer = questions.get(question);
+    answer = "<b>" + answer + "</b>";
+    if(triedQuestions > 1)
+      return trackProgress(success().output(answer).build());
+    return failed().output(answer).build();
+  }
+}
diff --git a/webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html b/webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html
index 2d1e4be15..a0b34229e 100644
--- a/webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html
+++ b/webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html
@@ -139,6 +139,37 @@
     </div>
 </div>
 
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:PasswordReset_SecurityQuestions.adoc"></div>
+    <div class="attack-container">
+        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+        <form class="attack-form" accept-charset="UNKNOWN"
+              method="POST" name="form"
+              action="/WebGoat/PasswordReset/SecurityQuestions"
+              enctype="application/json;charset=UTF-8">
+            <select name="question">
+                <option>What is your favorite animal?</option>
+                <option>In what year was your mother born?</option>
+                <option>What was the time you were born?</option>
+                <option>What is the name of the person you first kissed?</option>
+                <option>What was the house number and street name you lived in as a child?</option>
+                <option>In what town or city was your first full time job?</option>
+                <option>In what city were you born?</option>
+                <option>On which wrist do you were your watch?</option>
+                <option>What was the last name of your favorite teacher in grade three?</option>
+                <option>What is the name of a college/job you applied to but didn't attend?</option>
+                <option>What are the last 5 digits of your drivers license?</option>
+                <option>What was your childhood nickname?</option>
+                <option>Who was your childhood hero?</option>
+                <option>What is your favorite color?</option>
+            </select>
+            <input name="Check Question" value="check" type="SUBMIT"/>
+        </form>
+        <br/>
+        <div class="attack-output"></div>
+    </div>
+</div>
+
 <div class="lesson-page-wrapper">
     <div class="adoc-content" th:replace="doc:PasswordReset_host_header.adoc"></div>
     <div class="attack-container">
@@ -235,36 +266,4 @@
 <div class="lesson-page-wrapper">
     <div class="adoc-content" th:replace="doc:PasswordReset_mitigation.adoc"></div>
 </div>
-
-<div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:PasswordReset_SecurityQuestions.adoc"></div>
-    <div class="attack-container">
-        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-        <form class="attack-form" accept-charset="UNKNOWN"
-              method="POST" name="form"
-              action="/WebGoat/PasswordReset/SecurityQuestions"
-              enctype="application/json;charset=UTF-8">
-            <select name="question">
-                <option>What is your favorite animal?</option>
-                <option>In what year was your mother born?</option>
-                <option>What was the time you were born?</option>
-                <option>What is the name of the person you first kissed?</option>
-                <option>What was the house number and street name you lived in as a child?</option>
-                <option>In what town or city was your first full time job?</option>
-                <option>In what city were you born?</option>
-                <option>On which wrist do you were your watch?</option>
-                <option>What was the last name of your favorite teacher in grade three?</option>
-                <option>What is the name of a college/job you applied to but didn't attend?</option>
-                <option>What are the last 5 digits of your drivers license?</option>
-                <option>What was your childhood nickname?</option>
-                <option>Who was your childhood hero?</option>
-                <option>What is your favorite color?</option>
-            </select>
-            <input name="Check Question" value="check" type="SUBMIT"/>
-        </form>
-        <br/>
-        <div class="attack-feedback"></div>
-        <div class="attack-output"></div>
-    </div>
-</div>
 </html>
\ No newline at end of file
diff --git a/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_SecurityQuestions.adoc b/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_SecurityQuestions.adoc
index 2c6d4ef7c..29f4483dd 100644
--- a/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_SecurityQuestions.adoc
+++ b/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_SecurityQuestions.adoc
@@ -1,17 +1,16 @@
-== Choosing a Security Question
+== The Problem with Security Questions
 
-We have already talked about Security questions a bit. A good security question should meet the following criteria:
+While Security Questions my at first seem like a good way for authentication of a user, they
+have some big problems.
 
-- Safe: The answer should not be easy to research or guess.
-- Stable: The answer should be stable, meaning that it is not subject to change.
-- Memorable: The answer should be easy to remember.
-- Simple: The question should be: precise, easy and consistent.
-- Many: The question should have many possible answers.
+The "perfect" Security Question should be hard to crack, but easy to remember. Also the answer needs to fixed,
+so the answer must not be subject to change.
 
-== Try It! Choosing a  good security question.
+There are only a handful of questions which satisfy these criteria and practically none which apply to anybody.
 
-In this assignment your goal is to good security question from the dropdown list below.
-The Assignment is complete when you picked a security question which is considered good.
+If you have to pick a security question, we recommend not answering them truthfully.
 
-Note: Some may say that one question is better than another, so this list is a bit subjective.
-      But you should not be having any problem differencing between the good and bad.
\ No newline at end of file
+To further elaborate on the matter, there is a small assignment for you: There is a list of some common security questions.
+if you choose one, it will show to you why the question you picked is not really as good as one may think.
+
+When you have looked at two questions the assignment will be marked as complete.
\ No newline at end of file