Working last password assignment

webgoat-lessons/challenge/src/main/resources/i18n/WebGoatLabels.properties

@@ -22,8 +22,7 @@ challenge.flag.incorrect=Sorry this is not the correct flag, please try again.
 
 ip.address.unknown=IP address unknown, e-mail has been sent. 
 
-login_failed=Login failed
+
-login_failed.tom=Sorry only Tom can login at the moment
 
 required4=Missing username or password, please specify both.
 user.not.larry=Please try to log in as Larry not {0}. 

webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/QuestionsAssignment.java

@@ -1,4 +1,4 @@
-package org.owasp.webgoat.plugin.questions;
+package org.owasp.webgoat.plugin;
 
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;

webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/ResetLinkAssignment.java

@@ -1,11 +1,13 @@
-package org.owasp.webgoat.plugin.resetlink;
+package org.owasp.webgoat.plugin;
 
 import com.google.common.collect.EvictingQueue;
 import com.google.common.collect.Maps;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.plugin.PasswordResetEmail;
+import org.owasp.webgoat.plugin.resetlink.PasswordChangeForm;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.HttpEntity;
 import org.springframework.http.HttpHeaders;
@@ -27,6 +29,7 @@ import static org.springframework.web.bind.annotation.RequestMethod.POST;
  * @since 8/20/17.
  */
 @AssignmentPath("/PasswordReset/reset")
+@AssignmentHints({"password-reset-hint1", "password-reset-hint2", "password-reset-hint3", "password-reset-hint4", "password-reset-hint5"})
 public class ResetLinkAssignment extends AssignmentEndpoint {
 
     private static final String PASSWORD_TOM_9 = "somethingVeryRandomWhichNoOneWillEverTypeInAsPasswordForTom";
@@ -46,12 +49,10 @@ public class ResetLinkAssignment extends AssignmentEndpoint {
 
     private final RestTemplate restTemplate;
     private final String webWolfMailURL;
-    private final String webwolfLandingURL;
 
-    public ResetLinkAssignment(RestTemplate restTemplate, @Value("${webwolf.url.mail}") String webWolfMailURL, @Value("${webwolf.url.landingpage}") String webwolfLandingURL) {
+    public ResetLinkAssignment(RestTemplate restTemplate, @Value("${webwolf.url.mail}") String webWolfMailURL) {
         this.restTemplate = restTemplate;
         this.webWolfMailURL = webWolfMailURL;
-        this.webwolfLandingURL = webwolfLandingURL;
     }
 
     @RequestMapping(method = POST, value = "/create-password-reset-link")
@@ -63,7 +64,7 @@ public class ResetLinkAssignment extends AssignmentEndpoint {
         if (org.springframework.util.StringUtils.hasText(email)) {
             if (email.equals(TOM_EMAIL) && host.contains("8081")) { //User indeed changed the host header.
                 userToTomResetLink.put(getWebSession().getUserName(), resetLink);
-                fakeClickingLinkEmail(cookie, host, resetLink);
+                fakeClickingLinkEmail(host, resetLink);
             } else {
                 sendMailToUser(email, host, resetLink);
             }
@@ -88,7 +89,7 @@ public class ResetLinkAssignment extends AssignmentEndpoint {
      * which user we need to trace the incoming request. In normal situation this HOST will be in your
      * full control so every incoming request would be valid.
      */
-    private void fakeClickingLinkEmail(String cookie, String host, String resetLink) {
+    private void fakeClickingLinkEmail(String host, String resetLink) {
         try {
             HttpHeaders httpHeaders = new HttpHeaders();
             HttpEntity httpEntity = new HttpEntity(httpHeaders);
@@ -104,12 +105,12 @@ public class ResetLinkAssignment extends AssignmentEndpoint {
         if (TOM_EMAIL.equals(email)) {
             String passwordTom = usersToTomPassword.getOrDefault(getWebSession().getUserName(), PASSWORD_TOM_9);
             if (passwordTom.equals(PASSWORD_TOM_9)) {
-                return failed().feedback("login_failed").build();
+                return trackProgress(failed().feedback("login_failed").build());
             } else if (passwordTom.equals(password)) {
-                return success().feedback("challenge.solved").feedbackArgs("test").build();
+                return trackProgress(success().build());
             }
         }
-        return failed().feedback("login_failed.tom").build();
+        return trackProgress(failed().feedback("login_failed.tom").build());
     }
 
     @GetMapping("/reset-password/{link}")
@@ -124,7 +125,6 @@ public class ResetLinkAssignment extends AssignmentEndpoint {
         }
     }
 
-
     @PostMapping("/change-password")
     public String changePassword(@ModelAttribute("form") PasswordChangeForm form, BindingResult bindingResult) {
         if (!org.springframework.util.StringUtils.hasText(form.getPassword())) {

webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SimpleMailAssignment.java

@@ -1,4 +1,4 @@
-package org.owasp.webgoat.plugin.simple;
+package org.owasp.webgoat.plugin;
 
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
@@ -24,6 +24,7 @@ import static java.util.Optional.ofNullable;
  * @since 8/20/17.
  */
 @AssignmentPath("/PasswordReset/simple-mail")
+
 public class SimpleMailAssignment extends AssignmentEndpoint {
 
     private final String webWolfURL;

webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html

@@ -137,6 +137,10 @@
         <img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
 
+        <form class="attack-form" accept-charset="UNKNOWN"
+              method="POST"
+              action="/WebGoat/PasswordReset/reset/login"
+              enctype="application/json;charset=UTF-8">
             <div class="container-fluid">
                 <div class="row">
                     <div class="col-md-3">
@@ -160,7 +164,8 @@
             <i class="glyphicon glyphicon-lock">
             </i>
           </span>
-                                    <input class="form-control" placeholder="Password" name="password" type="password"
+                                        <input class="form-control" placeholder="Password" name="password"
+                                               type="password"
                                                value="" required=""/>
                                     </div>
                                     <div class="form-group">
@@ -211,21 +216,6 @@
                     </div>
                 </div>
             </div>
-
-        <br/>
-        <form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag">
-            <div class="form-group">
-                <div class="input-group">
-                    <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
-                                                      style="font-size:20px"></i></div>
-                    <input type="text" class="form-control" id="flag" name="flag"
-                           placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
-                </div>
-                <div class="input-group" style="margin-top: 10px">
-                    <button type="submit" class="btn btn-primary">Submit flag</button>
-                </div>
-            </div>
-
         </form>
 
         <br/>

webgoat-lessons/password-reset/src/main/resources/i18n/WebGoatLabels.properties

@@ -17,3 +17,5 @@ password-reset-hint2=Look at the link, can you think how the server creates this
 password-reset-hint3=Tom clicks all the links he receives in his mailbox, you can use the landing page in WebWolf to get the reset link...
 password-reset-hint4=The link points to localhost:8080/PasswordReset/.... can you change the host to localhost:8081
 password-reset-hint5=Intercept the request and change the host header
+login_failed=Login failed
+login_failed.tom=Sorry only Tom can login at the moment

webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_host_header.adoc

@@ -14,5 +14,5 @@ The time out is necessary to restrict the attack window, having a link opens up
 
 Tom always resets his password immediately after receiving the email with the link.
 Try to reset the password of Tom (tom@webgoat-cloud.org) to your own choice and login as Tom with
-that password. If you did submit is in the e-mail address and submit again.
+that password.
 

webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/plugin/LandingAssignment.java

@@ -21,7 +21,7 @@ import java.net.URISyntaxException;
 @AssignmentPath("/WebWolf/landing")
 public class LandingAssignment extends AssignmentEndpoint {
 
-    @Value("${webworf.url.landingpage}")
+    @Value("${webwolf.url.landingpage}")
     private String landingPageUrl;
 
     @PostMapping

webwolf/src/main/java/org/owasp/webwolf/requests/WebWolfTraceRepository.java

@@ -20,7 +20,7 @@ import java.util.*;
 public class WebWolfTraceRepository implements TraceRepository {
 
     private final EvictingQueue<Trace> traces = EvictingQueue.create(10000);
-    private List<String> exclusionList = Lists.newArrayList("/WebWolf/mail","/WebWolf/files", "/login", "/favicon.ico", "/js/", "/webjars/", "/WebWolf/requests", "/css/");
+    private List<String> exclusionList = Lists.newArrayList("/WebWolf/home", "/WebWolf/mail","/WebWolf/files", "/images/", "/login", "/favicon.ico", "/js/", "/webjars/", "/WebWolf/requests", "/css/", "/mail");
 
     @Override
     public List<Trace> findAll() {