dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Same form post is used and with autocomplete this does not work because all fields will be posted. The endpoint could no long distinguish between the different actions (sending e-mail and checking password)

Browse Source
This commit is contained in:
Nanne Baars 2018-08-10 13:15:40 +02:00
parent 3d58049af6
commit 580e50f558
2 changed files with 35 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SimpleMailAssignment.java
View File

@ -4,7 +4,6 @@ import org.apache.commons.lang3.StringUtils;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.plugin.PasswordResetEmail;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.MediaType;
import org.springframework.web.bind.annotation.PostMapping;
@ -14,8 +13,6 @@ import org.springframework.web.client.RestClientException;
import org.springframework.web.client.RestTemplate;
import java.time.LocalDateTime;
import java.util.Map;
import java.util.Optional;
import static java.util.Optional.ofNullable;
@ -37,23 +34,10 @@ public class SimpleMailAssignment extends AssignmentEndpoint {
@PostMapping(consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE)
@ResponseBody
public AttackResult sendEmail(@RequestParam Map<String, Object> json) {
String email = (String) json.get("emailReset");
if (StringUtils.isEmpty(email)) {
email = (String) json.getOrDefault("email", "unknown@webgoat.org");
}
String password = (String) json.getOrDefault("password", "");
int index = email.indexOf("@");
String username = email.substring(0, index == -1 ? email.length() : index);
public AttackResult login(@RequestParam String email, @RequestParam String password) {
String emailAddress = ofNullable(email).orElse("unknown@webgoat.org");
String username = extractUsername(emailAddress);
if (StringUtils.isEmpty(password)) {
return sendEmail(username, email);
} else {
return checkPassword(password, username);
}
}
private AttackResult checkPassword(String password, String username) {
if (username.equals(getWebSession().getUserName()) && StringUtils.reverse(username).equals(password)) {
return trackProgress(success().build());
} else {
@ -61,6 +45,18 @@ public class SimpleMailAssignment extends AssignmentEndpoint {
}
}
@PostMapping(consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE, value = "/reset")
@ResponseBody
public AttackResult resetPassword(@RequestParam String emailReset) {
String email = ofNullable(emailReset).orElse("unknown@webgoat.org");
return sendEmail(extractUsername(email), email);
}
private String extractUsername(String email) {
int index = email.indexOf("@");
return email.substring(0, index == -1 ? email.length() : index);
}
private AttackResult sendEmail(String username, String email) {
if (username.equals(getWebSession().getUserName())) {
PasswordResetEmail mailEvent = PasswordResetEmail.builder()

31
webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html
View File

@ -14,16 +14,18 @@
<div class="attack-container">
<img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST"
action="/WebGoat/PasswordReset/simple-mail"
enctype="application/json;charset=UTF-8">
<div class="container-fluid">
<div class="row">
<div class="col-md-4">
<div class="container-fluid">
<div class="row">
<div class="col-md-4">
<form class="attack-form" accept-charset="UNKNOWN" novalidate="novalidate"
method="POST"
action="/WebGoat/PasswordReset/simple-mail"
enctype="application/json;charset=UTF-8">
<div style="padding: 20px;" id="password-login-2">
<h4 style="border-bottom: 1px solid #c5c5c5;"><i class="glyphicon glyphicon-user"></i> Account
<h4 style="border-bottom: 1px solid #c5c5c5;"><i class="glyphicon glyphicon-user"></i>
Account
Access</h4>
<fieldset>
<div class="form-group input-group">
@ -41,7 +43,8 @@
Access
</button>
<p class="help-block">
<a class="pull-right text-muted" href="#" id="olvidado" onclick="showPasswordReset()">
<a class="pull-right text-muted" href="#" id="olvidado"
onclick="showPasswordReset()">
<small>Forgot your password?</small>
</a>
</p>
@ -49,6 +52,12 @@
</fieldset>
</div>
</form>
<form class="attack-form" accept-charset="UNKNOWN" novalidate="novalidate"
method="POST"
action="/WebGoat/PasswordReset/simple-mail/reset"
enctype="application/json;charset=UTF-8">
<div style="display: none;" id="password-reset-2">
<h4 class="">Forgot your password?</h4>
@ -69,10 +78,10 @@
</fieldset>
</div>
</div>
</form>
</div>
</div>
</form>
</div>
<br/>
<br/>