diff --git a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SimpleMailAssignment.java b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SimpleMailAssignment.java
index bcd821743..a2c551687 100644
--- a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SimpleMailAssignment.java
+++ b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SimpleMailAssignment.java
@@ -4,7 +4,6 @@ import org.apache.commons.lang3.StringUtils;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.plugin.PasswordResetEmail;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.MediaType;
import org.springframework.web.bind.annotation.PostMapping;
@@ -14,8 +13,6 @@ import org.springframework.web.client.RestClientException;
import org.springframework.web.client.RestTemplate;
import java.time.LocalDateTime;
-import java.util.Map;
-import java.util.Optional;
import static java.util.Optional.ofNullable;
@@ -37,23 +34,10 @@ public class SimpleMailAssignment extends AssignmentEndpoint {
@PostMapping(consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE)
@ResponseBody
- public AttackResult sendEmail(@RequestParam Map<String, Object> json) {
- String email = (String) json.get("emailReset");
- if (StringUtils.isEmpty(email)) {
- email = (String) json.getOrDefault("email", "unknown@webgoat.org");
- }
- String password = (String) json.getOrDefault("password", "");
- int index = email.indexOf("@");
- String username = email.substring(0, index == -1 ? email.length() : index);
+ public AttackResult login(@RequestParam String email, @RequestParam String password) {
+ String emailAddress = ofNullable(email).orElse("unknown@webgoat.org");
+ String username = extractUsername(emailAddress);
- if (StringUtils.isEmpty(password)) {
- return sendEmail(username, email);
- } else {
- return checkPassword(password, username);
- }
- }
-
- private AttackResult checkPassword(String password, String username) {
if (username.equals(getWebSession().getUserName()) && StringUtils.reverse(username).equals(password)) {
return trackProgress(success().build());
} else {
@@ -61,6 +45,18 @@ public class SimpleMailAssignment extends AssignmentEndpoint {
}
}
+ @PostMapping(consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE, value = "/reset")
+ @ResponseBody
+ public AttackResult resetPassword(@RequestParam String emailReset) {
+ String email = ofNullable(emailReset).orElse("unknown@webgoat.org");
+ return sendEmail(extractUsername(email), email);
+ }
+
+ private String extractUsername(String email) {
+ int index = email.indexOf("@");
+ return email.substring(0, index == -1 ? email.length() : index);
+ }
+
private AttackResult sendEmail(String username, String email) {
if (username.equals(getWebSession().getUserName())) {
PasswordResetEmail mailEvent = PasswordResetEmail.builder()
diff --git a/webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html b/webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html
index 708c4c07f..e8e00e828 100644
--- a/webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html
+++ b/webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html
@@ -14,16 +14,18 @@
<div class="attack-container">
<img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
- <form class="attack-form" accept-charset="UNKNOWN"
- method="POST"
- action="/WebGoat/PasswordReset/simple-mail"
- enctype="application/json;charset=UTF-8">
- <div class="container-fluid">
- <div class="row">
- <div class="col-md-4">
+ <div class="container-fluid">
+
+ <div class="row">
+ <div class="col-md-4">
+ <form class="attack-form" accept-charset="UNKNOWN" novalidate="novalidate"
+ method="POST"
+ action="/WebGoat/PasswordReset/simple-mail"
+ enctype="application/json;charset=UTF-8">
<div style="padding: 20px;" id="password-login-2">
- <h4 style="border-bottom: 1px solid #c5c5c5;"><i class="glyphicon glyphicon-user"></i> Account
+ <h4 style="border-bottom: 1px solid #c5c5c5;"><i class="glyphicon glyphicon-user"></i>
+ Account
Access</h4>
<fieldset>
<div class="form-group input-group">
@@ -41,7 +43,8 @@
Access
</button>
<p class="help-block">
- <a class="pull-right text-muted" href="#" id="olvidado" onclick="showPasswordReset()">
+ <a class="pull-right text-muted" href="#" id="olvidado"
+ onclick="showPasswordReset()">
<small>Forgot your password?</small>
</a>
</p>
@@ -49,6 +52,12 @@
</fieldset>
</div>
+ </form>
+
+ <form class="attack-form" accept-charset="UNKNOWN" novalidate="novalidate"
+ method="POST"
+ action="/WebGoat/PasswordReset/simple-mail/reset"
+ enctype="application/json;charset=UTF-8">
<div style="display: none;" id="password-reset-2">
<h4 class="">Forgot your password?</h4>
@@ -69,10 +78,10 @@
</fieldset>
</div>
- </div>
+ </form>
</div>
</div>
- </form>
+ </div>
<br/>
<br/>