WIP
This commit is contained in:
Nanne Baars
@ -1,20 +1,13 @@
|
||||
package org.owasp.webgoat.plugin;
|
||||
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.plugin.PasswordResetEmail;
|
||||
import org.springframework.beans.factory.annotation.Value;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.client.RestClientException;
|
||||
import org.springframework.web.client.RestTemplate;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
|
||||
import java.time.LocalDateTime;
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
|
||||
@ -22,7 +15,7 @@ import java.util.Map;
|
||||
* @author nbaars
|
||||
* @since 8/20/17.
|
||||
*/
|
||||
@AssignmentPath("/PasswordReset/questions")
|
||||
@RestController
|
||||
public class QuestionsAssignment extends AssignmentEndpoint {
|
||||
|
||||
private final static Map<String, String> COLORS = new HashMap<>();
|
||||
@ -35,7 +28,7 @@ public class QuestionsAssignment extends AssignmentEndpoint {
|
||||
COLORS.put("webgoat", "red");
|
||||
}
|
||||
|
||||
@PostMapping(consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE)
|
||||
@PostMapping(path = "/PasswordReset/questions", consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE)
|
||||
@ResponseBody
|
||||
public AttackResult passwordReset(@RequestParam Map<String, Object> json) {
|
||||
String securityQuestion = (String) json.getOrDefault("securityQuestion", "");
|
||||
|
||||
@ -17,7 +17,7 @@ import java.util.Map;
|
||||
* @author nbaars
|
||||
* @since 8/20/17.
|
||||
*/
|
||||
@AssignmentPath("/PasswordReset/reset")
|
||||
@RestController
|
||||
@AssignmentHints({"password-reset-hint1", "password-reset-hint2", "password-reset-hint3", "password-reset-hint4", "password-reset-hint5", "password-reset-hint6"})
|
||||
public class ResetLinkAssignment extends AssignmentEndpoint {
|
||||
|
||||
@ -37,7 +37,7 @@ public class ResetLinkAssignment extends AssignmentEndpoint {
|
||||
"Kind regards, \nTeam WebGoat";
|
||||
|
||||
|
||||
@PostMapping("/login")
|
||||
@PostMapping("/PasswordReset/reset/login")
|
||||
@ResponseBody
|
||||
public AttackResult login(@RequestParam String password, @RequestParam String email) {
|
||||
if (TOM_EMAIL.equals(email)) {
|
||||
@ -51,7 +51,7 @@ public class ResetLinkAssignment extends AssignmentEndpoint {
|
||||
return trackProgress(failed().feedback("login_failed.tom").build());
|
||||
}
|
||||
|
||||
@GetMapping("/reset-password/{link}")
|
||||
@GetMapping("/PasswordReset/reset/reset-password/{link}")
|
||||
public String resetPassword(@PathVariable(value = "link") String link, Model model) {
|
||||
if (this.resetLinks.contains(link)) {
|
||||
PasswordChangeForm form = new PasswordChangeForm();
|
||||
@ -63,7 +63,7 @@ public class ResetLinkAssignment extends AssignmentEndpoint {
|
||||
}
|
||||
}
|
||||
|
||||
@PostMapping("/change-password")
|
||||
@PostMapping("/PasswordReset/reset/change-password")
|
||||
public String changePassword(@ModelAttribute("form") PasswordChangeForm form, BindingResult bindingResult) {
|
||||
if (!org.springframework.util.StringUtils.hasText(form.getPassword())) {
|
||||
bindingResult.rejectValue("password", "not.empty");
|
||||
|
||||
@ -7,9 +7,7 @@ import org.springframework.beans.factory.annotation.Value;
|
||||
import org.springframework.http.HttpEntity;
|
||||
import org.springframework.http.HttpHeaders;
|
||||
import org.springframework.http.HttpMethod;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
import org.springframework.web.client.RestTemplate;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
@ -25,7 +23,7 @@ import static org.springframework.web.bind.annotation.RequestMethod.POST;
|
||||
* @author nbaars
|
||||
* @since 8/20/17.
|
||||
*/
|
||||
@AssignmentPath("/PasswordReset/ForgotPassword")
|
||||
@RestController
|
||||
public class ResetLinkAssignmentForgotPassword extends AssignmentEndpoint {
|
||||
|
||||
private final RestTemplate restTemplate;
|
||||
@ -37,7 +35,7 @@ public class ResetLinkAssignmentForgotPassword extends AssignmentEndpoint {
|
||||
this.webWolfMailURL = webWolfMailURL;
|
||||
}
|
||||
|
||||
@RequestMapping(method = POST, value = "/create-password-reset-link")
|
||||
@PostMapping("/PasswordReset/ForgotPassword/create-password-reset-link")
|
||||
@ResponseBody
|
||||
public AttackResult sendPasswordResetLink(@RequestParam String email, HttpServletRequest request) {
|
||||
String resetLink = UUID.randomUUID().toString();
|
||||
@ -58,7 +56,7 @@ public class ResetLinkAssignmentForgotPassword extends AssignmentEndpoint {
|
||||
return success().feedback("email.send").feedbackArgs(email).build();
|
||||
}
|
||||
|
||||
private void sendMailToUser(@RequestParam String email, String host, String resetLink) {
|
||||
private void sendMailToUser(String email, String host, String resetLink) {
|
||||
int index = email.indexOf("@");
|
||||
String username = email.substring(0, index == -1 ? email.length() : index);
|
||||
PasswordResetEmail mail = PasswordResetEmail.builder()
|
||||
@ -78,5 +76,4 @@ public class ResetLinkAssignmentForgotPassword extends AssignmentEndpoint {
|
||||
//don't care
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@ -4,10 +4,7 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
@ -20,7 +17,7 @@ import static java.util.Optional.of;
|
||||
* @author Tobias Melzer
|
||||
* @since 11.12.18
|
||||
*/
|
||||
@AssignmentPath("/PasswordReset/SecurityQuestions")
|
||||
@RestController
|
||||
public class SecurityQuestionAssignment extends AssignmentEndpoint {
|
||||
|
||||
@Autowired
|
||||
@ -46,7 +43,7 @@ public class SecurityQuestionAssignment extends AssignmentEndpoint {
|
||||
questions.put("What is your favorite color?", "Can easily be guessed.");
|
||||
}
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
@PostMapping("/PasswordReset/SecurityQuestions")
|
||||
@ResponseBody
|
||||
public AttackResult completed(@RequestParam String question) {
|
||||
var answer = of(questions.get(question));
|
||||
|
||||
@ -9,6 +9,7 @@ import org.springframework.http.MediaType;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
import org.springframework.web.client.RestClientException;
|
||||
import org.springframework.web.client.RestTemplate;
|
||||
|
||||
@ -20,8 +21,7 @@ import static java.util.Optional.ofNullable;
|
||||
* @author nbaars
|
||||
* @since 8/20/17.
|
||||
*/
|
||||
@AssignmentPath("/PasswordReset/simple-mail")
|
||||
|
||||
@RestController
|
||||
public class SimpleMailAssignment extends AssignmentEndpoint {
|
||||
|
||||
private final String webWolfURL;
|
||||
@ -32,7 +32,7 @@ public class SimpleMailAssignment extends AssignmentEndpoint {
|
||||
this.webWolfURL = webWolfURL;
|
||||
}
|
||||
|
||||
@PostMapping(consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE)
|
||||
@PostMapping(path = "/PasswordReset/simple-mail", consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE)
|
||||
@ResponseBody
|
||||
public AttackResult login(@RequestParam String email, @RequestParam String password) {
|
||||
String emailAddress = ofNullable(email).orElse("unknown@webgoat.org");
|
||||
@ -45,7 +45,7 @@ public class SimpleMailAssignment extends AssignmentEndpoint {
|
||||
}
|
||||
}
|
||||
|
||||
@PostMapping(consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE, value = "/reset")
|
||||
@PostMapping(consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE, value = "/PasswordReset/simple-mail/reset")
|
||||
@ResponseBody
|
||||
public AttackResult resetPassword(@RequestParam String emailReset) {
|
||||
String email = ofNullable(emailReset).orElse("unknown@webgoat.org");
|
||||
|
||||
Reference in New Issue
Block a user