secure password assignment first draft

webgoat-lessons/pom.xml

@@ -86,6 +86,11 @@
             <artifactId>encoder</artifactId>
             <version>1.2</version>
         </dependency>
+        <dependency>
+            <groupId>com.nulab-inc</groupId>
+            <artifactId>zxcvbn</artifactId>
+            <version>1.2.5</version>
+        </dependency>
         <!-- Temporarily -->
         <dependency>
             <groupId>com.thoughtworks.xstream</groupId>

webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/plugin/SecurePasswordsAssignment.java

@@ -0,0 +1,65 @@
+package org.owasp.webgoat.plugin;
+
+
+import com.nulabinc.zxcvbn.Strength;
+import com.nulabinc.zxcvbn.Zxcvbn;
+import org.jruby.RubyProcess;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+
+import javax.tools.*;
+import java.io.IOException;
+import java.net.URI;
+import java.text.DecimalFormat;
+import java.text.DecimalFormatSymbols;
+import java.util.Arrays;
+import java.util.List;
+import java.util.Locale;
+import java.util.concurrent.TimeUnit;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+@AssignmentPath("SecurePasswords/assignment")
+//@AssignmentHints(value = {"xss-mitigation-3-hint1", "xss-mitigation-3-hint2", "xss-mitigation-3-hint3", "xss-mitigation-3-hint4"})
+public class SecurePasswordsAssignment extends AssignmentEndpoint {
+
+    @RequestMapping(method = RequestMethod.POST)
+    @ResponseBody
+    public AttackResult completed(@RequestParam String password) {
+        Zxcvbn zxcvbn = new Zxcvbn();
+        Strength strength = zxcvbn.measure(password);
+        StringBuffer output = new StringBuffer();
+        DecimalFormat df = new DecimalFormat("0", DecimalFormatSymbols.getInstance(Locale.ENGLISH));
+        df.setMaximumFractionDigits(340);
+
+        output.append("<b>Your Password: </b>" + password + "</br>");
+        output.append("<b>Length: </b>" + password.length()+ "</br>");
+        output.append("<b>Estimated guesses needed to crack your password: </b>" + df.format(strength.getGuesses())+ "</br>");
+        output.append("<b>Score: </b>" + strength.getScore()+ "/5 </br>");
+        output.append("<b>Estimated cracking time in seconds: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()));
+
+        if(strength.getScore() >= 4)
+            return trackProgress(success().feedback("securepassword-success").output(output.toString()).build());
+        else
+            return trackProgress(failed().feedback("securepassword-failed").output(output.toString()).build());
+    }
+
+    public static String calculateTime(long seconds) {
+        int day = (int) TimeUnit.SECONDS.toDays(seconds);
+        int year = day/365;
+        day = day % 365;
+        long hours = TimeUnit.SECONDS.toHours(seconds) - (day *24);
+        long minute = TimeUnit.SECONDS.toMinutes(seconds) - (TimeUnit.SECONDS.toHours(seconds)* 60);
+        long second = TimeUnit.SECONDS.toSeconds(seconds) - (TimeUnit.SECONDS.toMinutes(seconds) *60);
+
+        return (year + " years " + day + " days " + hours + " hours " + minute + " minutes " + second + " seconds");
+
+    }
+}

webgoat-lessons/secure-passwords/src/main/resources/html/SecurePasswords.html

@@ -14,6 +14,30 @@
     <div class="adoc-content" th:replace="doc:SecurePasswords_2.adoc"></div>
 </div>
 
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:SecurePasswords_assignment_introduction.adoc"></div>
+    <div class="attack-container">
+        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+        <form class="attack-form" accept-charset="UNKNOWN"
+              method="POST" name="form"
+              action="/WebGoat/SecurePasswords/assignment"
+              enctype="application/json;charset=UTF-8"
+              autocomplete="off">
+            <table>
+                <tr>
+                    <td><label>Password</label></td>
+                    <td><input name="password" value="" type="TEXT" placeholder="Enter a secure password"/></td>
+                </tr>
+                <tr>
+                    <td><button type="SUBMIT">Submit</button></td>
+                </tr>
+            </table>
+        </form>
+        <div class="attack-feedback"></div>
+        <div class="attack-output"></div>
+    </div>
+</div>
+
 <div class="lesson-page-wrapper">
     <div class="adoc-content" th:replace="doc:SecurePasswords_3.adoc"></div>
 </div>

webgoat-lessons/secure-passwords/src/main/resources/i18n/WebGoatLabels.properties

@@ -1 +1,3 @@
 secure-passwords.title=Secure Passwords
+securepassword-success=You have succeded! The password is secure enough.
+securepassword-failed=You have failed! Try to enter a secure password.

webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_assignment_introduction.adoc

@@ -0,0 +1,3 @@
+== How long could it take to brute force your password?
+
+In this assignment you have to type in a password which is strong enough (at least 4/5 or 5/5).