Added more hints to password reset 5 lesson. Recommended Burp as a proxy

2018-12-09 16:43:17 +01:00 · 2018-12-09 16:43:17 +01:00 · 3d7974aa45
commit 3d7974aa45
parent 8c7eaf87d6
3 changed files with 5 additions and 4 deletions
--- a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/ResetLinkAssignment.java
+++ b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/ResetLinkAssignment.java
@ -29,7 +29,7 @@ import static org.springframework.web.bind.annotation.RequestMethod.POST;
 * @since 8/20/17.
 */
@AssignmentPath("/PasswordReset/reset")
-@AssignmentHints({"password-reset-hint1", "password-reset-hint2", "password-reset-hint3", "password-reset-hint4", "password-reset-hint5"})
+@AssignmentHints({"password-reset-hint1", "password-reset-hint2", "password-reset-hint3", "password-reset-hint4", "password-reset-hint5", "password-reset-hint6"})
 public class ResetLinkAssignment extends AssignmentEndpoint {

    private static final String PASSWORD_TOM_9 = "somethingVeryRandomWhichNoOneWillEverTypeInAsPasswordForTom";
--- a/webgoat-lessons/password-reset/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/password-reset/src/main/resources/i18n/WebGoatLabels.properties
@ -13,9 +13,10 @@ password-reset-solved=Congratulations you solved the assignment, please type in
 password-reset-not-solved=Sorry but you did not redirect the reset link to WebWolf

 password-reset-hint1=Try to send a password reset link to your own account at {user}@webgoat.org, you can read this e-mail in WebWolf.
-password-reset-hint2=Look at the link, can you think how the server creates this link?
+password-reset-hint2=Look at the link, can you think of how the server creates this link?
 password-reset-hint3=Tom clicks all the links he receives in his mailbox, you can use the landing page in WebWolf to get the reset link...
 password-reset-hint4=The link points to localhost:8080/PasswordReset/.... can you change the host to localhost:9090?
-password-reset-hint5=Intercept the request and change the host header
+password-reset-hint5=Intercept the request and change the host header.
+password-reset-hint6=For intercepting the request you have to use a proxy. Check the <a href="./start.mvc#lesson/HttpProxies.lesson" target="_blank">HTTP-Proxies Lesson</a> in the general category if you're unfamiliar with using proxies.<br/><span style="color: red;"><strong>Important:</strong> There seem to be problems when modifying the request header with <a href="https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project" target="_blank">ZAP</a>. We recommend to use <a href="https://portswigger.net/" target="_blank">Burp</a> instead.</span>
 login_failed=Login failed
 login_failed.tom=Sorry only Tom can login at the moment
--- a/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_host_header.adoc
+++ b/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_host_header.adoc
@ -12,7 +12,7 @@ The time out is necessary to restrict the attack window, having a link opens up

 == Assignment

-Tom always resets his password immediately after receiving the email with the link.
 Try to reset the password of Tom (tom@webgoat-cloud.org) to your own choice and login as Tom with
 that password. Note: it is not possible to use OWASP ZAP for this lesson.

+Tom always resets his password immediately after receiving the email with the link.