polished feedback, implemented password warnings and suggestions

This commit is contained in:
PhilippeSteinbach
2018-12-06 21:30:44 +01:00
committed by Nanne Baars
parent 0bd14d9178
commit 2a26cc3cc7

View File

@ -1,11 +1,11 @@
package org.owasp.webgoat.plugin; package org.owasp.webgoat.plugin;
import com.nulabinc.zxcvbn.Feedback;
import com.nulabinc.zxcvbn.Strength; import com.nulabinc.zxcvbn.Strength;
import com.nulabinc.zxcvbn.Zxcvbn; import com.nulabinc.zxcvbn.Zxcvbn;
import org.jruby.RubyProcess; import org.jruby.RubyProcess;
import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult; import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMapping;
@ -22,12 +22,12 @@ import java.text.DecimalFormatSymbols;
import java.util.Arrays; import java.util.Arrays;
import java.util.List; import java.util.List;
import java.util.Locale; import java.util.Locale;
import java.util.ResourceBundle;
import java.util.concurrent.TimeUnit; import java.util.concurrent.TimeUnit;
import java.util.regex.Matcher; import java.util.regex.Matcher;
import java.util.regex.Pattern; import java.util.regex.Pattern;
@AssignmentPath("SecurePasswords/assignment") @AssignmentPath("SecurePasswords/assignment")
//@AssignmentHints(value = {"xss-mitigation-3-hint1", "xss-mitigation-3-hint2", "xss-mitigation-3-hint3", "xss-mitigation-3-hint4"})
public class SecurePasswordsAssignment extends AssignmentEndpoint { public class SecurePasswordsAssignment extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST) @RequestMapping(method = RequestMethod.POST)
@ -42,15 +42,24 @@ public class SecurePasswordsAssignment extends AssignmentEndpoint {
output.append("<b>Your Password: </b>" + password + "</br>"); output.append("<b>Your Password: </b>" + password + "</br>");
output.append("<b>Length: </b>" + password.length()+ "</br>"); output.append("<b>Length: </b>" + password.length()+ "</br>");
output.append("<b>Estimated guesses needed to crack your password: </b>" + df.format(strength.getGuesses())+ "</br>"); output.append("<b>Estimated guesses needed to crack your password: </b>" + df.format(strength.getGuesses())+ "</br>");
output.append("<b>Score: </b>" + strength.getScore()+ "/5"); output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore()+ "/4 </div>");
if(strength.getScore()<=1){ if(strength.getScore()<=1){
output.append("<div style=\"background-color:red;width: 200px;\">&nbsp;</div></br>"); output.append("<div style=\"background-color:red;width: 200px;border-radius: 12px;float: left;\">&nbsp;</div></br>");
} else if(strength.getScore()<=3){ } else if(strength.getScore()<=3){
output.append("<div style=\"background-color:orange;width: 200px;\">&nbsp;</div></br>"); output.append("<div style=\"background-color:orange;width: 200px;border-radius: 12px;float: left;\">&nbsp;</div></br>");
} else{ } else{
output.append("<div style=\"background-color:green;width: 200px;\">&nbsp;</div></br>"); output.append("<div style=\"background-color:green;width: 200px;border-radius: 12px;float: left;\">&nbsp;</div></br>");
}
output.append("<b>Estimated cracking time: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()));
if(strength.getFeedback().getWarning().length() != 0)
output.append("</br><b>Warning: </b>" + strength.getFeedback().getWarning());
// possible feedback: https://github.com/dropbox/zxcvbn/blob/master/src/feedback.coffee
// maybe ask user to try also weak passwords to see and understand feedback?
if(strength.getFeedback().getSuggestions().size() != 0){
output.append("</br><b>Suggestions:</b></br><ul>");
for(String sug: strength.getFeedback().getSuggestions()) output.append("<li>"+sug+"</li>");
output.append("</ul></br>");
} }
output.append("<b>Estimated cracking time in seconds: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()));
if(strength.getScore() >= 4) if(strength.getScore() >= 4)
return trackProgress(success().feedback("securepassword-success").output(output.toString()).build()); return trackProgress(success().feedback("securepassword-success").output(output.toString()).build());
@ -59,14 +68,18 @@ public class SecurePasswordsAssignment extends AssignmentEndpoint {
} }
public static String calculateTime(long seconds) { public static String calculateTime(long seconds) {
int day = (int) TimeUnit.SECONDS.toDays(seconds); int s = 1;
int year = day/365; int min = (60*s);
day = day % 365; int hr = (60*min);
long hours = TimeUnit.SECONDS.toHours(seconds) - (day *24); int d = (24*hr);
long minute = TimeUnit.SECONDS.toMinutes(seconds) - (TimeUnit.SECONDS.toHours(seconds)* 60); int yr = (365*d);
long second = TimeUnit.SECONDS.toSeconds(seconds) - (TimeUnit.SECONDS.toMinutes(seconds) *60);
return (year + " years " + day + " days " + hours + " hours " + minute + " minutes " + second + " seconds"); long years = seconds/(d)/365;
long days = (seconds%yr)/(d);
long hours = (seconds%d)/(hr);
long minutes = (seconds%hr)/(min);
long sec = (seconds%min*s);
return (years + " years " + days + " days " + hours + " hours " + minutes + " minutes " + sec + " seconds");
} }
} }