Same form post is used and with autocomplete this does not work because all fields will be posted. The endpoint could no long distinguish between the different actions (sending e-mail and checking password)

2018-08-10 13:15:40 +02:00
parent 3d58049af6
commit 580e50f558
2 changed files with 35 additions and 30 deletions
--- a/webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html
+++ b/webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html
@ -14,16 +14,18 @@
    <div class="attack-container">
        <img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-        <form class="attack-form" accept-charset="UNKNOWN"
-              method="POST"
-              action="/WebGoat/PasswordReset/simple-mail"
-              enctype="application/json;charset=UTF-8">
-            <div class="container-fluid">

-                <div class="row">
-                    <div class="col-md-4">
+        <div class="container-fluid">
+
+            <div class="row">
+                <div class="col-md-4">
+                    <form class="attack-form" accept-charset="UNKNOWN" novalidate="novalidate"
+                          method="POST"
+                          action="/WebGoat/PasswordReset/simple-mail"
+                          enctype="application/json;charset=UTF-8">
                        <div style="padding: 20px;" id="password-login-2">
-                            <h4 style="border-bottom: 1px solid #c5c5c5;"><i class="glyphicon glyphicon-user"></i> Account
+                            <h4 style="border-bottom: 1px solid #c5c5c5;"><i class="glyphicon glyphicon-user"></i>
+                                Account
                                Access</h4>
                            <fieldset>
                                <div class="form-group input-group">
@ -41,7 +43,8 @@
                                        Access
                                    </button>
                                    <p class="help-block">
-                                        <a class="pull-right text-muted" href="#" id="olvidado" onclick="showPasswordReset()">
+                                        <a class="pull-right text-muted" href="#" id="olvidado"
+                                           onclick="showPasswordReset()">
                                            <small>Forgot your password?</small>
                                        </a>
                                    </p>
@ -49,6 +52,12 @@
                            </fieldset>

                        </div>
+                    </form>
+
+                    <form class="attack-form" accept-charset="UNKNOWN" novalidate="novalidate"
+                          method="POST"
+                          action="/WebGoat/PasswordReset/simple-mail/reset"
+                          enctype="application/json;charset=UTF-8">
                        <div style="display: none;" id="password-reset-2">
                            <h4 class="">Forgot your password?</h4>

@ -69,10 +78,10 @@
                            </fieldset>

                        </div>
-                    </div>
+                    </form>
                </div>
            </div>
-        </form>
+        </div>
        <br/>

        <br/>