diff --git a/webgoat-lessons/challenge/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/challenge/src/main/resources/i18n/WebGoatLabels.properties index 40f882656..e79acbac5 100644 --- a/webgoat-lessons/challenge/src/main/resources/i18n/WebGoatLabels.properties +++ b/webgoat-lessons/challenge/src/main/resources/i18n/WebGoatLabels.properties @@ -22,8 +22,7 @@ challenge.flag.incorrect=Sorry this is not the correct flag, please try again. ip.address.unknown=IP address unknown, e-mail has been sent. -login_failed=Login failed -login_failed.tom=Sorry only Tom can login at the moment + required4=Missing username or password, please specify both. user.not.larry=Please try to log in as Larry not {0}. \ No newline at end of file diff --git a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/PasswordReset.java b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/PasswordReset.java index 9e4f3143e..d2e9ac6f7 100644 --- a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/PasswordReset.java +++ b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/PasswordReset.java @@ -6,7 +6,7 @@ import org.owasp.webgoat.lessons.NewLesson; import java.util.ArrayList; import java.util.List; -public class PasswordReset extends NewLesson { +public class PasswordReset extends NewLesson { @Override public Category getDefaultCategory() { return Category.AUTHENTICATION; diff --git a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/questions/QuestionsAssignment.java b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/QuestionsAssignment.java similarity index 97% rename from webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/questions/QuestionsAssignment.java rename to webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/QuestionsAssignment.java index e90f5cb2a..f6c97ba89 100644 --- a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/questions/QuestionsAssignment.java +++ b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/QuestionsAssignment.java @@ -1,4 +1,4 @@ -package org.owasp.webgoat.plugin.questions; +package org.owasp.webgoat.plugin; import org.apache.commons.lang3.StringUtils; import org.owasp.webgoat.assignments.AssignmentEndpoint; diff --git a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/resetlink/ResetLinkAssignment.java b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/ResetLinkAssignment.java similarity index 90% rename from webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/resetlink/ResetLinkAssignment.java rename to webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/ResetLinkAssignment.java index 4b3fdfab2..99eb8c41e 100644 --- a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/resetlink/ResetLinkAssignment.java +++ b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/ResetLinkAssignment.java @@ -1,11 +1,13 @@ -package org.owasp.webgoat.plugin.resetlink; +package org.owasp.webgoat.plugin; import com.google.common.collect.EvictingQueue; import com.google.common.collect.Maps; import org.owasp.webgoat.assignments.AssignmentEndpoint; +import org.owasp.webgoat.assignments.AssignmentHints; import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AttackResult; import org.owasp.webgoat.plugin.PasswordResetEmail; +import org.owasp.webgoat.plugin.resetlink.PasswordChangeForm; import org.springframework.beans.factory.annotation.Value; import org.springframework.http.HttpEntity; import org.springframework.http.HttpHeaders; @@ -27,6 +29,7 @@ import static org.springframework.web.bind.annotation.RequestMethod.POST; * @since 8/20/17. */ @AssignmentPath("/PasswordReset/reset") +@AssignmentHints({"password-reset-hint1", "password-reset-hint2", "password-reset-hint3", "password-reset-hint4", "password-reset-hint5"}) public class ResetLinkAssignment extends AssignmentEndpoint { private static final String PASSWORD_TOM_9 = "somethingVeryRandomWhichNoOneWillEverTypeInAsPasswordForTom"; @@ -46,12 +49,10 @@ public class ResetLinkAssignment extends AssignmentEndpoint { private final RestTemplate restTemplate; private final String webWolfMailURL; - private final String webwolfLandingURL; - public ResetLinkAssignment(RestTemplate restTemplate, @Value("${webwolf.url.mail}") String webWolfMailURL, @Value("${webwolf.url.landingpage}") String webwolfLandingURL) { + public ResetLinkAssignment(RestTemplate restTemplate, @Value("${webwolf.url.mail}") String webWolfMailURL) { this.restTemplate = restTemplate; this.webWolfMailURL = webWolfMailURL; - this.webwolfLandingURL = webwolfLandingURL; } @RequestMapping(method = POST, value = "/create-password-reset-link") @@ -63,7 +64,7 @@ public class ResetLinkAssignment extends AssignmentEndpoint { if (org.springframework.util.StringUtils.hasText(email)) { if (email.equals(TOM_EMAIL) && host.contains("8081")) { //User indeed changed the host header. userToTomResetLink.put(getWebSession().getUserName(), resetLink); - fakeClickingLinkEmail(cookie, host, resetLink); + fakeClickingLinkEmail(host, resetLink); } else { sendMailToUser(email, host, resetLink); } @@ -88,7 +89,7 @@ public class ResetLinkAssignment extends AssignmentEndpoint { * which user we need to trace the incoming request. In normal situation this HOST will be in your * full control so every incoming request would be valid. */ - private void fakeClickingLinkEmail(String cookie, String host, String resetLink) { + private void fakeClickingLinkEmail(String host, String resetLink) { try { HttpHeaders httpHeaders = new HttpHeaders(); HttpEntity httpEntity = new HttpEntity(httpHeaders); @@ -104,12 +105,12 @@ public class ResetLinkAssignment extends AssignmentEndpoint { if (TOM_EMAIL.equals(email)) { String passwordTom = usersToTomPassword.getOrDefault(getWebSession().getUserName(), PASSWORD_TOM_9); if (passwordTom.equals(PASSWORD_TOM_9)) { - return failed().feedback("login_failed").build(); + return trackProgress(failed().feedback("login_failed").build()); } else if (passwordTom.equals(password)) { - return success().feedback("challenge.solved").feedbackArgs("test").build(); + return trackProgress(success().build()); } } - return failed().feedback("login_failed.tom").build(); + return trackProgress(failed().feedback("login_failed.tom").build()); } @GetMapping("/reset-password/{link}") @@ -124,7 +125,6 @@ public class ResetLinkAssignment extends AssignmentEndpoint { } } - @PostMapping("/change-password") public String changePassword(@ModelAttribute("form") PasswordChangeForm form, BindingResult bindingResult) { if (!org.springframework.util.StringUtils.hasText(form.getPassword())) { diff --git a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/simple/SimpleMailAssignment.java b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SimpleMailAssignment.java similarity index 98% rename from webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/simple/SimpleMailAssignment.java rename to webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SimpleMailAssignment.java index e608742dd..bcd821743 100644 --- a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/simple/SimpleMailAssignment.java +++ b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SimpleMailAssignment.java @@ -1,4 +1,4 @@ -package org.owasp.webgoat.plugin.simple; +package org.owasp.webgoat.plugin; import org.apache.commons.lang3.StringUtils; import org.owasp.webgoat.assignments.AssignmentEndpoint; @@ -24,6 +24,7 @@ import static java.util.Optional.ofNullable; * @since 8/20/17. */ @AssignmentPath("/PasswordReset/simple-mail") + public class SimpleMailAssignment extends AssignmentEndpoint { private final String webWolfURL; diff --git a/webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html b/webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html index d4a652c70..5dfc6f708 100644 --- a/webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html +++ b/webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html @@ -137,95 +137,85 @@
-
-
-
-

- - Account Access -

-
-
-
-
- @ - -
-
+ +
+
+
+

+ + Account Access +

+
+ +
+
+ @ + +
+
- -
-
- -

- - Forgot your password? - -

-
-
- -
- +
+ +

+ + Forgot your password? + +

+
+
+ +
+ + +

+ + Account Access + +

+ + +
- - -
-
-
-
-
- -
-
- -
-
-

diff --git a/webgoat-lessons/password-reset/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/password-reset/src/main/resources/i18n/WebGoatLabels.properties index 5cc0406b1..3b3f6bb69 100644 --- a/webgoat-lessons/password-reset/src/main/resources/i18n/WebGoatLabels.properties +++ b/webgoat-lessons/password-reset/src/main/resources/i18n/WebGoatLabels.properties @@ -16,4 +16,6 @@ password-reset-hint1=Try to send a password reset link to your own account at {u password-reset-hint2=Look at the link, can you think how the server creates this link? password-reset-hint3=Tom clicks all the links he receives in his mailbox, you can use the landing page in WebWolf to get the reset link... password-reset-hint4=The link points to localhost:8080/PasswordReset/.... can you change the host to localhost:8081 -password-reset-hint5=Intercept the request and change the host header \ No newline at end of file +password-reset-hint5=Intercept the request and change the host header +login_failed=Login failed +login_failed.tom=Sorry only Tom can login at the moment \ No newline at end of file diff --git a/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_host_header.adoc b/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_host_header.adoc index fa0261e73..1daea2dc6 100644 --- a/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_host_header.adoc +++ b/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_host_header.adoc @@ -14,5 +14,5 @@ The time out is necessary to restrict the attack window, having a link opens up Tom always resets his password immediately after receiving the email with the link. Try to reset the password of Tom (tom@webgoat-cloud.org) to your own choice and login as Tom with -that password. If you did submit is in the e-mail address and submit again. +that password. diff --git a/webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/plugin/LandingAssignment.java b/webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/plugin/LandingAssignment.java index 1ae6ea707..18e954b0f 100644 --- a/webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/plugin/LandingAssignment.java +++ b/webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/plugin/LandingAssignment.java @@ -21,7 +21,7 @@ import java.net.URISyntaxException; @AssignmentPath("/WebWolf/landing") public class LandingAssignment extends AssignmentEndpoint { - @Value("${webworf.url.landingpage}") + @Value("${webwolf.url.landingpage}") private String landingPageUrl; @PostMapping diff --git a/webwolf/src/main/java/org/owasp/webwolf/requests/WebWolfTraceRepository.java b/webwolf/src/main/java/org/owasp/webwolf/requests/WebWolfTraceRepository.java index d4d292290..23e95ba02 100644 --- a/webwolf/src/main/java/org/owasp/webwolf/requests/WebWolfTraceRepository.java +++ b/webwolf/src/main/java/org/owasp/webwolf/requests/WebWolfTraceRepository.java @@ -20,7 +20,7 @@ import java.util.*; public class WebWolfTraceRepository implements TraceRepository { private final EvictingQueue traces = EvictingQueue.create(10000); - private List exclusionList = Lists.newArrayList("/WebWolf/mail","/WebWolf/files", "/login", "/favicon.ico", "/js/", "/webjars/", "/WebWolf/requests", "/css/"); + private List exclusionList = Lists.newArrayList("/WebWolf/home", "/WebWolf/mail","/WebWolf/files", "/images/", "/login", "/favicon.ico", "/js/", "/webjars/", "/WebWolf/requests", "/css/", "/mail"); @Override public List findAll() {