Added more hints to password reset 5 lesson. Recommended Burp as a proxy
This commit is contained in:
		
				
					committed by
					
						 Nanne Baars
						Nanne Baars
					
				
			
			
				
	
			
			
			
						parent
						
							8c7eaf87d6
						
					
				
				
					commit
					3d7974aa45
				
			| @ -29,7 +29,7 @@ import static org.springframework.web.bind.annotation.RequestMethod.POST; | |||||||
|  * @since 8/20/17. |  * @since 8/20/17. | ||||||
|  */ |  */ | ||||||
| @AssignmentPath("/PasswordReset/reset") | @AssignmentPath("/PasswordReset/reset") | ||||||
| @AssignmentHints({"password-reset-hint1", "password-reset-hint2", "password-reset-hint3", "password-reset-hint4", "password-reset-hint5"}) | @AssignmentHints({"password-reset-hint1", "password-reset-hint2", "password-reset-hint3", "password-reset-hint4", "password-reset-hint5", "password-reset-hint6"}) | ||||||
| public class ResetLinkAssignment extends AssignmentEndpoint { | public class ResetLinkAssignment extends AssignmentEndpoint { | ||||||
|  |  | ||||||
|     private static final String PASSWORD_TOM_9 = "somethingVeryRandomWhichNoOneWillEverTypeInAsPasswordForTom"; |     private static final String PASSWORD_TOM_9 = "somethingVeryRandomWhichNoOneWillEverTypeInAsPasswordForTom"; | ||||||
|  | |||||||
| @ -13,9 +13,10 @@ password-reset-solved=Congratulations you solved the assignment, please type in | |||||||
| password-reset-not-solved=Sorry but you did not redirect the reset link to WebWolf | password-reset-not-solved=Sorry but you did not redirect the reset link to WebWolf | ||||||
|  |  | ||||||
| password-reset-hint1=Try to send a password reset link to your own account at {user}@webgoat.org, you can read this e-mail in WebWolf. | password-reset-hint1=Try to send a password reset link to your own account at {user}@webgoat.org, you can read this e-mail in WebWolf. | ||||||
| password-reset-hint2=Look at the link, can you think how the server creates this link? | password-reset-hint2=Look at the link, can you think of how the server creates this link? | ||||||
| password-reset-hint3=Tom clicks all the links he receives in his mailbox, you can use the landing page in WebWolf to get the reset link... | password-reset-hint3=Tom clicks all the links he receives in his mailbox, you can use the landing page in WebWolf to get the reset link... | ||||||
| password-reset-hint4=The link points to localhost:8080/PasswordReset/.... can you change the host to localhost:9090? | password-reset-hint4=The link points to localhost:8080/PasswordReset/.... can you change the host to localhost:9090? | ||||||
| password-reset-hint5=Intercept the request and change the host header | password-reset-hint5=Intercept the request and change the host header. | ||||||
|  | password-reset-hint6=For intercepting the request you have to use a proxy. Check the <a href="./start.mvc#lesson/HttpProxies.lesson" target="_blank">HTTP-Proxies Lesson</a> in the general category if you're unfamiliar with using proxies.<br/><span style="color: red;"><strong>Important:</strong> There seem to be problems when modifying the request header with <a href="https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project" target="_blank">ZAP</a>. We recommend to use <a href="https://portswigger.net/" target="_blank">Burp</a> instead.</span> | ||||||
| login_failed=Login failed | login_failed=Login failed | ||||||
| login_failed.tom=Sorry only Tom can login at the moment | login_failed.tom=Sorry only Tom can login at the moment | ||||||
| @ -12,7 +12,7 @@ The time out is necessary to restrict the attack window, having a link opens up | |||||||
|  |  | ||||||
| == Assignment | == Assignment | ||||||
|  |  | ||||||
| Tom always resets his password immediately after receiving the email with the link. |  | ||||||
| Try to reset the password of Tom (tom@webgoat-cloud.org) to your own choice and login as Tom with | Try to reset the password of Tom (tom@webgoat-cloud.org) to your own choice and login as Tom with | ||||||
| that password. Note: it is not possible to use OWASP ZAP for this lesson. | that password. Note: it is not possible to use OWASP ZAP for this lesson. | ||||||
|  |  | ||||||
|  | Tom always resets his password immediately after receiving the email with the link. | ||||||
|  | |||||||
		Reference in New Issue
	
	Block a user