From 580e50f5580c5062df4d75869301a9835d8e73f3 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Fri, 10 Aug 2018 13:15:40 +0200 Subject: [PATCH] Same form post is used and with autocomplete this does not work because all fields will be posted. The endpoint could no long distinguish between the different actions (sending e-mail and checking password) --- .../webgoat/plugin/SimpleMailAssignment.java | 34 ++++++++----------- .../main/resources/html/PasswordReset.html | 31 +++++++++++------ 2 files changed, 35 insertions(+), 30 deletions(-) diff --git a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SimpleMailAssignment.java b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SimpleMailAssignment.java index bcd821743..a2c551687 100644 --- a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SimpleMailAssignment.java +++ b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SimpleMailAssignment.java @@ -4,7 +4,6 @@ import org.apache.commons.lang3.StringUtils; import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AttackResult; -import org.owasp.webgoat.plugin.PasswordResetEmail; import org.springframework.beans.factory.annotation.Value; import org.springframework.http.MediaType; import org.springframework.web.bind.annotation.PostMapping; @@ -14,8 +13,6 @@ import org.springframework.web.client.RestClientException; import org.springframework.web.client.RestTemplate; import java.time.LocalDateTime; -import java.util.Map; -import java.util.Optional; import static java.util.Optional.ofNullable; @@ -37,23 +34,10 @@ public class SimpleMailAssignment extends AssignmentEndpoint { @PostMapping(consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE) @ResponseBody - public AttackResult sendEmail(@RequestParam Map json) { - String email = (String) json.get("emailReset"); - if (StringUtils.isEmpty(email)) { - email = (String) json.getOrDefault("email", "unknown@webgoat.org"); - } - String password = (String) json.getOrDefault("password", ""); - int index = email.indexOf("@"); - String username = email.substring(0, index == -1 ? email.length() : index); + public AttackResult login(@RequestParam String email, @RequestParam String password) { + String emailAddress = ofNullable(email).orElse("unknown@webgoat.org"); + String username = extractUsername(emailAddress); - if (StringUtils.isEmpty(password)) { - return sendEmail(username, email); - } else { - return checkPassword(password, username); - } - } - - private AttackResult checkPassword(String password, String username) { if (username.equals(getWebSession().getUserName()) && StringUtils.reverse(username).equals(password)) { return trackProgress(success().build()); } else { @@ -61,6 +45,18 @@ public class SimpleMailAssignment extends AssignmentEndpoint { } } + @PostMapping(consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE, value = "/reset") + @ResponseBody + public AttackResult resetPassword(@RequestParam String emailReset) { + String email = ofNullable(emailReset).orElse("unknown@webgoat.org"); + return sendEmail(extractUsername(email), email); + } + + private String extractUsername(String email) { + int index = email.indexOf("@"); + return email.substring(0, index == -1 ? email.length() : index); + } + private AttackResult sendEmail(String username, String email) { if (username.equals(getWebSession().getUserName())) { PasswordResetEmail mailEvent = PasswordResetEmail.builder() diff --git a/webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html b/webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html index 708c4c07f..e8e00e828 100644 --- a/webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html +++ b/webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html @@ -14,16 +14,18 @@
-
-
-
-
+
+ +
+
+
-

Account +

+ Account Access

@@ -41,7 +43,8 @@ Access

- + Forgot your password?

@@ -49,6 +52,12 @@
+ + +
-
+
- +