Added Assignment for Security Questions.

2018-12-17 00:14:34 +01:00 · 2018-12-17 00:14:34 +01:00 · 0588daff9d
commit 0588daff9d
parent 37b5abea80
4 changed files with 96 additions and 96 deletions
--- a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SecurityQuestionAssignemnt.java
+++ b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SecurityQuestionAssignemnt.java
@ -1,52 +0,0 @@
 package org.owasp.webgoat.plugin;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import java.util.HashMap;
 import java.util.Map;
 /**
 * Assignment for picking a good security question.
 * @author Tobias Melzer
 * @since 11.12.18
 */
@AssignmentPath("/PasswordReset/SecurityQuestions")
 public class SecurityQuestionAssignemnt extends AssignmentEndpoint {
  private static Map<String, String> questions;
  static {
    questions = new HashMap<>();
    questions.put("What is your favorite animal?", "Bad: Can easily be guessed and can most likely be figured out through social media.");
    questions.put("In what year was your mother born?", "Bad: Can  be easily guessed.");
    questions.put("What was the time you were born?", "Good: If you know the time you were born it is really good, because " +
            "it is hard to figure out through social media and the answer is not subject to change.");
    questions.put("What is the name of the person you first kissed?", "Fair: it is not a bad question, but friends and family may know and someone might figure it out through social media.");
    questions.put("What was the house number and street name you lived in as a child?", "Good: hard to guess and even close friends might not know the answer.");
    questions.put("In what town or city was your first full time job?", "Fair / Good: Might be easy to figure out if someone is on LinkedIn or posts a lot on social media");
    questions.put("In what city were you born?", "Fair: Might be hard to figure out for a person who does not know you, but not for a person that knows, did know you.");
    questions.put("What was the last name of your favorite teacher in grade three?", "Good/Fair: Most people would probably not know the answer to that, but if someone does its quite a good question.");
    questions.put("What is the name of a college/job you applied to but didn't attend?", "Good: Most people will probably no an answer to that and it is really hard to figure out, even for people close to you.");
    questions.put("What are the last 5 digits of your drivers license?", "Bad: Is subject to change, and the last digit of your driver license might follow a specific pattern. (For example your birthday.)");
    questions.put("What was your childhood nickname?", "Fair: if someone had a nickname they probably remember it, but not all people had one.");
    questions.put("Who was your childhood hero?", "Fair: If your childhood hero, was someone not obvious it can be quite good, but not everyone really had one and can remember it easily.");
    questions.put("On which wrist do you were your watch?", "Awful: Easy to guess.");
    questions.put("What is your favorite color?", "Bad: Can easily be guessed.");
  }
  @RequestMapping(method = RequestMethod.POST)
  public
  @ResponseBody
  AttackResult completed(@RequestParam String question) {
    String answer = questions.get(question);
    if(answer.startsWith("Good"))
      return success().output(answer).build();
    return failed().output(answer).build();
  }
 }
--- a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SecurityQuestionAssignment.java
+++ b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SecurityQuestionAssignment.java
@ -0,0 +1,54 @@
 package org.owasp.webgoat.plugin;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import java.util.HashMap;
 import java.util.Map;
 /**
 * Assignment for picking a good security question.
 * @author Tobias Melzer
 * @since 11.12.18
 */
@AssignmentPath("/PasswordReset/SecurityQuestions")
 public class SecurityQuestionAssignment extends AssignmentEndpoint {
  private static int triedQuestions = 0;
  private static Map<String, String> questions;
  static {
    questions = new HashMap<>();
    questions.put("What is your favorite animal?", "The answer can easily be guessed and figured out through social media.");
    questions.put("In what year was your mother born?", "Can  be easily guessed.");
    questions.put("What was the time you were born?", "This may first seem like a good question, but you most likely dont know the exact time, so it might be hard to remember.");
    questions.put("What is the name of the person you first kissed?", "Can be figured out through social media, or even guessed by trying the most common names.");
    questions.put("What was the house number and street name you lived in as a child?", "Answer can be figured out through social media, or worse it might be your current address.");
    questions.put("In what town or city was your first full time job?", "In times of LinkedIn and Facebook, the answer can be figured out quite easily.");
    questions.put("In what city were you born?", "Easy to figure out through social media.");
    questions.put("What was the last name of your favorite teacher in grade three?", "Most people would probably not know the answer to that.");
    questions.put("What is the name of a college/job you applied to but didn't attend?", "It might not be easy to remember and an hacker could just try some company's/colleges in your area.");
    questions.put("What are the last 5 digits of your drivers license?", "Is subject to change, and the last digit of your driver license might follow a specific pattern. (For example your birthday).");
    questions.put("What was your childhood nickname?", "Not all people had a nickname.");
    questions.put("Who was your childhood hero?", "Most Heroes we had as a child where quite obvious ones, like Superman for example.");
    questions.put("On which wrist do you were your watch?", "There are only to possible real answers, so really easy to guess.");
    questions.put("What is your favorite color?", "Can easily be guessed.");
  }
  @RequestMapping(method = RequestMethod.POST)
  public
  @ResponseBody
  AttackResult completed(@RequestParam String question) {
    triedQuestions+=1;
    String answer = questions.get(question);
    answer = "<b>" + answer + "</b>";
    if(triedQuestions > 1)
      return trackProgress(success().output(answer).build());
    return failed().output(answer).build();
  }
 }
--- a/webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html
+++ b/webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html
@ -139,6 +139,37 @@
    </div>
 </div>
 <div class="lesson-page-wrapper">
    <div class="adoc-content" th:replace="doc:PasswordReset_SecurityQuestions.adoc"></div>
    <div class="attack-container">
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
        <form class="attack-form" accept-charset="UNKNOWN"
              method="POST" name="form"
              action="/WebGoat/PasswordReset/SecurityQuestions"
              enctype="application/json;charset=UTF-8">
            <select name="question">
                <option>What is your favorite animal?</option>
                <option>In what year was your mother born?</option>
                <option>What was the time you were born?</option>
                <option>What is the name of the person you first kissed?</option>
                <option>What was the house number and street name you lived in as a child?</option>
                <option>In what town or city was your first full time job?</option>
                <option>In what city were you born?</option>
                <option>On which wrist do you were your watch?</option>
                <option>What was the last name of your favorite teacher in grade three?</option>
                <option>What is the name of a college/job you applied to but didn't attend?</option>
                <option>What are the last 5 digits of your drivers license?</option>
                <option>What was your childhood nickname?</option>
                <option>Who was your childhood hero?</option>
                <option>What is your favorite color?</option>
            </select>
            <input name="Check Question" value="check" type="SUBMIT"/>
        </form>
        <br/>
        <div class="attack-output"></div>
    </div>
 </div>
 <div class="lesson-page-wrapper">
    <div class="adoc-content" th:replace="doc:PasswordReset_host_header.adoc"></div>
    <div class="attack-container">
@ -235,36 +266,4 @@
 <div class="lesson-page-wrapper">
    <div class="adoc-content" th:replace="doc:PasswordReset_mitigation.adoc"></div>
 </div>
 <div class="lesson-page-wrapper">
    <div class="adoc-content" th:replace="doc:PasswordReset_SecurityQuestions.adoc"></div>
    <div class="attack-container">
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
        <form class="attack-form" accept-charset="UNKNOWN"
              method="POST" name="form"
              action="/WebGoat/PasswordReset/SecurityQuestions"
              enctype="application/json;charset=UTF-8">
            <select name="question">
                <option>What is your favorite animal?</option>
                <option>In what year was your mother born?</option>
                <option>What was the time you were born?</option>
                <option>What is the name of the person you first kissed?</option>
                <option>What was the house number and street name you lived in as a child?</option>
                <option>In what town or city was your first full time job?</option>
                <option>In what city were you born?</option>
                <option>On which wrist do you were your watch?</option>
                <option>What was the last name of your favorite teacher in grade three?</option>
                <option>What is the name of a college/job you applied to but didn't attend?</option>
                <option>What are the last 5 digits of your drivers license?</option>
                <option>What was your childhood nickname?</option>
                <option>Who was your childhood hero?</option>
                <option>What is your favorite color?</option>
            </select>
            <input name="Check Question" value="check" type="SUBMIT"/>
        </form>
        <br/>
        <div class="attack-feedback"></div>
        <div class="attack-output"></div>
    </div>
 </div>
 </html>
--- a/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_SecurityQuestions.adoc
+++ b/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_SecurityQuestions.adoc
@ -1,17 +1,16 @@
-== Choosing a Security Question
+== The Problem with Security Questions
-We have already talked about Security questions a bit. A good security question should meet the following criteria:
+While Security Questions my at first seem like a good way for authentication of a user, they
 have some big problems.
- Safe: The answer should not be easy to research or guess.
+The "perfect" Security Question should be hard to crack, but easy to remember. Also the answer needs to fixed,
- Stable: The answer should be stable, meaning that it is not subject to change.
+so the answer must not be subject to change.
 - Memorable: The answer should be easy to remember.
 - Simple: The question should be: precise, easy and consistent.
 - Many: The question should have many possible answers.
-== Try It! Choosing a  good security question.
+There are only a handful of questions which satisfy these criteria and practically none which apply to anybody.
-In this assignment your goal is to good security question from the dropdown list below.
+If you have to pick a security question, we recommend not answering them truthfully.
 The Assignment is complete when you picked a security question which is considered good.
-Note: Some may say that one question is better than another, so this list is a bit subjective.
+To further elaborate on the matter, there is a small assignment for you: There is a list of some common security questions.
-      But you should not be having any problem differencing between the good and bad.
+if you choose one, it will show to you why the question you picked is not really as good as one may think.
 When you have looked at two questions the assignment will be marked as complete.