dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

secure password assignment first draft

Browse Source
This commit is contained in:
PhilippeSteinbach 2018-12-03 15:53:21 +01:00 committed by Nanne Baars
parent 8bc91ba4ec
commit 5fa11a1b4b
5 changed files with 100 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
webgoat-lessons/pom.xml
View File

@ -86,6 +86,11 @@
<artifactId>encoder</artifactId> <artifactId>encoder</artifactId>
<version>1.2</version> <version>1.2</version>
</dependency> </dependency>
<dependency>
<groupId>com.nulab-inc</groupId>
<artifactId>zxcvbn</artifactId>
<version>1.2.5</version>
</dependency>
<!-- Temporarily --> <!-- Temporarily -->
<dependency> <dependency>
<groupId>com.thoughtworks.xstream</groupId> <groupId>com.thoughtworks.xstream</groupId>

65
webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/plugin/SecurePasswordsAssignment.java Normal file
View File

@ -0,0 +1,65 @@
package org.owasp.webgoat.plugin;
import com.nulabinc.zxcvbn.Strength;
import com.nulabinc.zxcvbn.Zxcvbn;
import org.jruby.RubyProcess;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.tools.*;
import java.io.IOException;
import java.net.URI;
import java.text.DecimalFormat;
import java.text.DecimalFormatSymbols;
import java.util.Arrays;
import java.util.List;
import java.util.Locale;
import java.util.concurrent.TimeUnit;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
@AssignmentPath("SecurePasswords/assignment")
//@AssignmentHints(value = {"xss-mitigation-3-hint1", "xss-mitigation-3-hint2", "xss-mitigation-3-hint3", "xss-mitigation-3-hint4"})
public class SecurePasswordsAssignment extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)
@ResponseBody
public AttackResult completed(@RequestParam String password) {
Zxcvbn zxcvbn = new Zxcvbn();
Strength strength = zxcvbn.measure(password);
StringBuffer output = new StringBuffer();
DecimalFormat df = new DecimalFormat("0", DecimalFormatSymbols.getInstance(Locale.ENGLISH));
df.setMaximumFractionDigits(340);
output.append("<b>Your Password: </b>" + password + "</br>");
output.append("<b>Length: </b>" + password.length()+ "</br>");
output.append("<b>Estimated guesses needed to crack your password: </b>" + df.format(strength.getGuesses())+ "</br>");
output.append("<b>Score: </b>" + strength.getScore()+ "/5 </br>");
output.append("<b>Estimated cracking time in seconds: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()));
if(strength.getScore() >= 4)
return trackProgress(success().feedback("securepassword-success").output(output.toString()).build());
else
return trackProgress(failed().feedback("securepassword-failed").output(output.toString()).build());
}
public static String calculateTime(long seconds) {
int day = (int) TimeUnit.SECONDS.toDays(seconds);
int year = day/365;
day = day % 365;
long hours = TimeUnit.SECONDS.toHours(seconds) - (day *24);
long minute = TimeUnit.SECONDS.toMinutes(seconds) - (TimeUnit.SECONDS.toHours(seconds)* 60);
long second = TimeUnit.SECONDS.toSeconds(seconds) - (TimeUnit.SECONDS.toMinutes(seconds) *60);
return (year + " years " + day + " days " + hours + " hours " + minute + " minutes " + second + " seconds");
}
}

24
webgoat-lessons/secure-passwords/src/main/resources/html/SecurePasswords.html
View File

@ -14,6 +14,30 @@
<div class="adoc-content" th:replace="doc:SecurePasswords_2.adoc"></div> <div class="adoc-content" th:replace="doc:SecurePasswords_2.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:SecurePasswords_assignment_introduction.adoc"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/SecurePasswords/assignment"
enctype="application/json;charset=UTF-8"
autocomplete="off">
<table>
<tr>
<td><label>Password</label></td>
<td><input name="password" value="" type="TEXT" placeholder="Enter a secure password"/></td>
</tr>
<tr>
<td><button type="SUBMIT">Submit</button></td>
</tr>
</table>
</form>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:SecurePasswords_3.adoc"></div> <div class="adoc-content" th:replace="doc:SecurePasswords_3.adoc"></div>
</div> </div>

4
webgoat-lessons/secure-passwords/src/main/resources/i18n/WebGoatLabels.properties
View File

@ -1 +1,3 @@
secure-passwords.title=Secure Passwords secure-passwords.title=Secure Passwords
securepassword-success=You have succeded! The password is secure enough.
securepassword-failed=You have failed! Try to enter a secure password.

3
webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_assignment_introduction.adoc Normal file
View File

@ -0,0 +1,3 @@
== How long could it take to brute force your password?
In this assignment you have to type in a password which is strong enough (at least 4/5 or 5/5).