From 3d7974aa455faa35a78083c807114013eb76eabf Mon Sep 17 00:00:00 2001 From: Benedikt - Desktop Date: Sun, 9 Dec 2018 16:43:17 +0100 Subject: [PATCH] Added more hints to password reset 5 lesson. Recommended Burp as a proxy --- .../java/org/owasp/webgoat/plugin/ResetLinkAssignment.java | 2 +- .../src/main/resources/i18n/WebGoatLabels.properties | 5 +++-- .../resources/lessonPlans/en/PasswordReset_host_header.adoc | 2 +- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/ResetLinkAssignment.java b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/ResetLinkAssignment.java index 39254d783..bced6b204 100644 --- a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/ResetLinkAssignment.java +++ b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/ResetLinkAssignment.java @@ -29,7 +29,7 @@ import static org.springframework.web.bind.annotation.RequestMethod.POST; * @since 8/20/17. */ @AssignmentPath("/PasswordReset/reset") -@AssignmentHints({"password-reset-hint1", "password-reset-hint2", "password-reset-hint3", "password-reset-hint4", "password-reset-hint5"}) +@AssignmentHints({"password-reset-hint1", "password-reset-hint2", "password-reset-hint3", "password-reset-hint4", "password-reset-hint5", "password-reset-hint6"}) public class ResetLinkAssignment extends AssignmentEndpoint { private static final String PASSWORD_TOM_9 = "somethingVeryRandomWhichNoOneWillEverTypeInAsPasswordForTom"; diff --git a/webgoat-lessons/password-reset/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/password-reset/src/main/resources/i18n/WebGoatLabels.properties index 063e1d3b5..ee58663a6 100644 --- a/webgoat-lessons/password-reset/src/main/resources/i18n/WebGoatLabels.properties +++ b/webgoat-lessons/password-reset/src/main/resources/i18n/WebGoatLabels.properties @@ -13,9 +13,10 @@ password-reset-solved=Congratulations you solved the assignment, please type in password-reset-not-solved=Sorry but you did not redirect the reset link to WebWolf password-reset-hint1=Try to send a password reset link to your own account at {user}@webgoat.org, you can read this e-mail in WebWolf. -password-reset-hint2=Look at the link, can you think how the server creates this link? +password-reset-hint2=Look at the link, can you think of how the server creates this link? password-reset-hint3=Tom clicks all the links he receives in his mailbox, you can use the landing page in WebWolf to get the reset link... password-reset-hint4=The link points to localhost:8080/PasswordReset/.... can you change the host to localhost:9090? -password-reset-hint5=Intercept the request and change the host header +password-reset-hint5=Intercept the request and change the host header. +password-reset-hint6=For intercepting the request you have to use a proxy. Check the HTTP-Proxies Lesson in the general category if you're unfamiliar with using proxies.
Important: There seem to be problems when modifying the request header with ZAP. We recommend to use Burp instead. login_failed=Login failed login_failed.tom=Sorry only Tom can login at the moment \ No newline at end of file diff --git a/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_host_header.adoc b/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_host_header.adoc index e3601c000..22ca278b5 100644 --- a/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_host_header.adoc +++ b/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_host_header.adoc @@ -12,7 +12,7 @@ The time out is necessary to restrict the attack window, having a link opens up == Assignment -Tom always resets his password immediately after receiving the email with the link. Try to reset the password of Tom (tom@webgoat-cloud.org) to your own choice and login as Tom with that password. Note: it is not possible to use OWASP ZAP for this lesson. +Tom always resets his password immediately after receiving the email with the link.