Merge pull request #11 from WebGoat/WEB-139

Web 139
2014-09-16 18:20:10 -04:00 · 2014-09-16 18:20:10 -04:00 · 1a1a8bf6ee
commit 1a1a8bf6ee
parent 9708292ae5 8f2fc26aa1
8 changed files with 81 additions and 90 deletions
--- a/src/main/java/org/owasp/webgoat/lessons/PasswordStrength.java
+++ b/src/main/java/org/owasp/webgoat/lessons/PasswordStrength.java
@ -1,8 +1,14 @@
 package org.owasp.webgoat.lessons;
-import java.util.ArrayList;
+import java.util.ArrayList; 
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.TreeMap;
 import java.util.Map.Entry;
 import org.apache.commons.collections.CollectionUtils;
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.StringElement;
@ -15,6 +21,7 @@ import org.apache.ecs.html.TD;
 import org.apache.ecs.html.TR;
 import org.apache.ecs.html.Table;
 import org.owasp.webgoat.session.ECSFactory;
 import org.owasp.webgoat.session.ParameterNotFoundException;
 import org.owasp.webgoat.session.WebSession;
@ -52,6 +59,38 @@ import org.owasp.webgoat.session.WebSession;
 public class PasswordStrength extends LessonAdapter
 {
    private Map<String, Password> passwords = new TreeMap<String, Password>() {{
        put("pass1", new Password("123456", "seconds", "0", "dictionary based, in top 10 most used passwords"));
        put("pass2", new Password("abzfezd", "seconds", "2", "26 chars on 7 positions, 8 billion possible combinations"));
        put("pass3", new Password("a9z1ezd", "seconds", "19", "26 + 10 chars on 7 positions = 78 billion possible combinations"));
        put("pass4", new Password("aB8fEzDq", "hours", "15", "26 + 26 + 10 chars on 8 positions = 218 trillion possible combinations"));
        put("pass5", new Password("z8!E?7D$", "days", "20", "96 chars on 8 positions = 66 quintillion possible combinations"));
        put("pass6", new Password("My1stPassword!:Redd", "quintillion years", "364", "96 chars on 19 positions = 46 undecillion possible combinations"));
    }};
    private class Password {
        String password;
        String timeUnit;
        String answer;
        private String explanation;
        public Password(String password, String timeUnit, String answer, String explanation) {
            this.password = password;
            this.timeUnit = timeUnit;
            this.answer = answer;
            this.explanation = explanation;
        }
    }
    private boolean checkSolution(WebSession s) throws ParameterNotFoundException {
        boolean allCorrect = true;
        for ( int i = 1; i <= passwords.size(); i++ ) {
            String key = "pass" + i;
            allCorrect = allCorrect && s.getParser().getStringParameter(key, "").equals(passwords.get(key).answer);
        }
        return allCorrect;
    }
    /**
     * Description of the Method
@ -66,87 +105,39 @@ public class PasswordStrength extends LessonAdapter
        try
        {
-            if (s.getParser().getStringParameter("pass1", "").equals("0")
+            if (checkSolution(s))
                    && s.getParser().getStringParameter("pass2", "").equals("1394")
                    && s.getParser().getStringParameter("pass3", "").equals("5")
                    && s.getParser().getStringParameter("pass4", "").equals("2")
                    && s.getParser().getStringParameter("pass5", "").equals("41"))
            {
                makeSuccess(s);
                ec.addElement(new BR());
                ec.addElement(new StringElement("As a guideline not bound to a single solution."));
                ec.addElement(new BR());
-                ec.addElement(new StringElement("Assuming the brute-force power of 1,000,000 hash/second: "));
+                ec.addElement(new StringElement("Assuming the calculations per second 4 billion: "));
                ec.addElement(new BR());
                OL ol = new OL();
-                ol.addElement(new LI("123456 - 0 seconds        (dictionary based, one of top 100)"));
+                for ( Password password : passwords.values()) {
-                ol.addElement(new LI("abzfez - up to 5 minutes  ( 26 chars on 6 positions = 26^6 seconds)"));
+                    ol.addElement(new LI(String.format("%s - %s %s (%s)", password.password, password.answer, password.timeUnit, password.explanation)));
-                ol.addElement(new LI("a9z1ez - up to 40 minutes ( 26+10 chars on 6 positions = 36^6 seconds)"));
+                }
                ol.addElement(new LI("aB8fEz - up to 16 hours   ( 26+26+10 chars on 6 positions = 62^6 seconds)"));
                ol.addElement(new LI("z8!E?7 - up to 50 days    ( 127 chars on 6 positions = 127^6 seconds)"));
                ec.addElement(ol);
            } else
            {
                ec.addElement(new StringElement("How much time you need for these passwords? "));
                ec.addElement(new BR());
                ec.addElement(new StringElement("How much time would a desktop PC take to crack these passwords?"));
                ec.addElement(new BR());
                ec.addElement(new BR());
                Table table = new Table();
-                table.addAttribute("align='center'", 0);
+                for ( Entry<String, Password> entry : passwords.entrySet()) {
-                TR tr1 = new TR();
+                    TR tr = new TR();
-                TD td1 = new TD();
+                    TD td1 = new TD();
-                TD td2 = new TD();
+                    TD td2 = new TD();
-                Input input1 = new Input(Input.TEXT, "pass1", "");
+                    Input input1 = new Input(Input.TEXT, entry.getKey(), "");
-                td1.addElement(new StringElement("Password = 123456"));
+                    td1.addElement(new StringElement("Password = " + entry.getValue().password));
-                td2.addElement(input1);
+                    td1.setWidth("50%");
-                td2.addElement(new StringElement("seconds"));
+                    td2.addElement(input1);
-                tr1.addElement(td1);
+                    td2.addElement(new StringElement("  " + entry.getValue().timeUnit));
-                tr1.addElement(td2);
+                    tr.addElement(td1);
-    
+                    tr.addElement(td2);
-                TR tr2 = new TR();
+                    table.addElement(tr);
-                TD td3 = new TD();
+                }
                TD td4 = new TD();
                Input input2 = new Input(Input.TEXT, "pass2", "");
                td3.addElement(new StringElement("Password = abzfez"));
                td4.addElement(input2);
                td4.addElement(new StringElement("seconds"));
                tr2.addElement(td3);
                tr2.addElement(td4);
                TR tr3 = new TR();
                TD td5 = new TD();
                TD td6 = new TD();
                Input input3 = new Input(Input.TEXT, "pass3", "");
                td5.addElement(new StringElement("Password = a9z1ez"));
                td6.addElement(input3);
                td6.addElement(new StringElement("hours"));
                tr3.addElement(td5);
                tr3.addElement(td6);
                TR tr4 = new TR();
                TD td7 = new TD();
                TD td8 = new TD();
                Input input4 = new Input(Input.TEXT, "pass4", "");
                td7.addElement(new StringElement("Password = aB8fEz"));
                td8.addElement(input4);
                td8.addElement(new StringElement("days"));
                tr4.addElement(td7);
                tr4.addElement(td8);
                TR tr5 = new TR();
                TD td9 = new TD();
                TD td10 = new TD();
                Input input5 = new Input(Input.TEXT, "pass5", "");
                td9.addElement(new StringElement("Password = z8!E?7"));
                td10.addElement(input5);
                td10.addElement(new StringElement("days"));
                tr5.addElement(td9);
                tr5.addElement(td10);
                table.addElement(tr1);
                table.addElement(tr2);
                table.addElement(tr3);
                table.addElement(tr4);
                table.addElement(tr5);
                ec.addElement(table);
                ec.addElement(new BR());
                ec.addElement(new BR());
@ -197,9 +188,9 @@ public class PasswordStrength extends LessonAdapter
    public String getInstructions(WebSession s)
    {
-        String instructions = "The Accounts of your Webapplication are only as save as the passwords. "
+        String instructions = "The accounts of your web application are only as save as the passwords. "
-                + "For this exercise, your job is to test several passwords on <a href=\"https://www.cnlab.ch/codecheck\" target=\"_blank\">https://www.cnlab.ch/codecheck</a>. "
+                + "For this exercise, your job is to test several passwords on <a href=\"https://howsecureismypassword.net\" target=\"_blank\">https://howsecureismypassword.net</a>. "
-                + " You must test all 5 passwords at the same time...<br>"
+                + " You must test all 6 passwords at the same time...<br>"
                + "<b> On your applications you should set good password requirements! </b>";
        return (instructions);
    }
--- a/src/main/webapp/lesson_plans/English/PasswordStrength.html
+++ b/src/main/webapp/lesson_plans/English/PasswordStrength.html
@ -3,8 +3,9 @@
 </div>
 <p><b>Concept / Topic To Teach:</b> </p>
 <!-- Start Instructions -->
-Accounts are only as secure as their passwords. Most users have the same weak password everywhere. If you want to protect them against brute-force-attacks your application should have good requirements for passwords. The password should contain lower case letters, capitals and numbers. The longer the password, the better.
+Accounts are only as secure as their passwords. Most users have the same weak password everywhere. If you want to protect them against brute-force-attacks your application should have good requirements for passwords. The password should contain lower case letters, capitals, numbers and special characters. The longer the password, the better, consider using a passphrase instead. For 
 more information see: <a href="https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Implement_Proper_Password_Strength_Controls" target="_blank">OWASP proper password strength</a>. 
 <!-- Stop Instructions -->
-<br>
+<br/><br/>
 <p><b>General Goal(s):</b> </p>
- For this exercise, your job is to test several passwords on <a href="https://www.cnlab.ch/codecheck" target="_blank">https://www.cnlab.ch/codecheck</a>
+ For this exercise, your job is to test several passwords on <a href="https://howsecureismypassword.net/" target="_blank">https://howsecureismypassword.net/</a>
--- a/src/main/webapp/lesson_plans/en/PasswordStrength.html
+++ b/src/main/webapp/lesson_plans/en/PasswordStrength.html
@ -3,8 +3,8 @@
 </div>
 <p><b>Concept / Topic To Teach:</b> </p>
 <!-- Start Instructions -->
-Accounts are only as secure as their passwords. Most users have the same weak password everywhere. If you want to protect them against brute-force-attacks your application should have good requirements for passwords. The password should contain lower case letters, capitals and numbers. The longer the password, the better.
+Accounts are only as secure as their passwords. Most users have the same weak password everywhere. If you want to protect them against brute-force-attacks your application should have good requirements for passwords. The password should contain lower case letters, capitals and numbers. The longer the password, the sbetter.
 <!-- Stop Instructions -->
 <br>
 <p><b>General Goal(s):</b> </p>
- For this exercise, your job is to test several passwords on <a href="https://www.cnlab.ch/codecheck" target="_blank">https://www.cnlab.ch/codecheck</a>
+ For this exercise, your job is to test several passwords on <a href="https://howsecureismypassword.net/" target="_blank">https://howsecureismypassword.net/</a>
--- a/src/main/webapp/lesson_plans/ru/PasswordStrength.html
+++ b/src/main/webapp/lesson_plans/ru/PasswordStrength.html
@ -10,4 +10,4 @@
 <!-- Stop Instructions -->
 <br>
 <p><b>Основные цели и задачи:</b> </p>
- Попробуйте проверить несколько используемых вами паролей на стойкость вот на этом сервисе - <a href="https://www.cnlab.ch/codecheck" target="_blank">https://www.cnlab.ch/codecheck</a>
+ Попробуйте проверить несколько используемых вами паролей на стойкость вот на этом сервисе - <a href="https://howsecureismypassword.net/" target="_blank">https://howsecureismypassword.net/</a>
--- a/src/main/webapp/lesson_solutions/PasswordStrength_files/image001.jpg
+++ b/src/main/webapp/lesson_solutions/PasswordStrength_files/image001.jpg
--- a/src/main/webapp/lesson_solutions/PasswordStrength_files/image002.jpg
+++ b/src/main/webapp/lesson_solutions/PasswordStrength_files/image002.jpg
--- a/src/main/webapp/lesson_solutions/PasswordStrength_files/image003.jpg
+++ b/src/main/webapp/lesson_solutions/PasswordStrength_files/image003.jpg
--- a/src/main/webapp/lesson_solutions_1/PasswordStrength.html
+++ b/src/main/webapp/lesson_solutions_1/PasswordStrength.html
@ -14,25 +14,24 @@ Accounts are only as secure as there passwords. Most users have the same weak pa
 <!-- Stop Instructions -->
 <br>
 <p><b>General Goal(s):</b> </p>
- For this exercise, your job is to test several passwords on <a href="https://www.cnlab.ch/codecheck" target="_blank">https://www.cnlab.ch/codecheck</a>.
+ For this exercise, your job is to test several passwords on <a href="https://howsecureismypassword.net/" target="_blank">https://howsecureismypassword.net/</a>.
 <br><br>
 <b>Solution:</b><br/>
-Open your browser on <a href="https://www.cnlab.ch/codecheck" target="_blank">https://www.cnlab.ch/codecheck</a>. Copy the first password in the field and click "Run the check".<br><br>
+Open your browser on <a href="https://howsecureismypassword.net/" target="_blank">https://howsecureismypassword.net/</a>. Copy the first password in the field and the page will automatically be updated.<br><br>
 <img src="lesson_solutions/PasswordStrength_files/image001.jpg"><br/>
-<font size="2"><b>Code checker</b></font><br/><br/><br/>
+<font size="2"><b>Password checker</b></font><br/><br/><br/>
 You will get a little pop-up. Choose "Yes, I want this word to be tested".<br><br>
 <img src="lesson_solutions/PasswordStrength_files/image002.jpg"><br/>
 <font size="2"><b>Pop-up</b></font><br/><br/><br/>
 You will get get the result of the check.<br><br>
-<img src="lesson_solutions/PasswordStrength_files/image003.jpg"><br/>
+<img src="lesson_solutions/PasswordStrength_files/image002.jpg"><br/>
 <font size="2"><b>The result</b></font><br/><br/><br/>
-Do this with all of the five given passwords.<br><br>
+Do this with all of the six given passwords.<br><br>
 Here are the results you get:<br><br>
 Password = 123456: <font color="#ff0000">0</font> seconds<br>
-Password = abzfez: <font color="#ff0000">1394</font> seconds<br>
+Password = abzfezd: <font color="#ff0000">2</font> seconds<br>
-Password = a9z1ez: <font color="#ff0000">5</font> hours<br>
+Password = a9z1ezd: <font color="#ff0000">19</font> seconds<br>
-Password = aB8fEz: <font color="#ff0000">2</font> days<br>
+Password = aB8fEzDq: <font color="#ff0000">15</font> hours<br>
-Password = z8!E?7: <font color="#ff0000">41</font> days<br>
+Password = z8!E?7: <font color="#ff0000">20</font> days<br>
 Password = My1stPassword!:Redd: <font color="#ff0000">364</font> quintillion years<br>
 <br><br><br>
 </body>
 </html>