dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Working last password assignment

Browse Source
This commit is contained in:
Nanne Baars 2018-05-26 18:48:48 +02:00
parent f8a7a61e85
commit 6e003bc088
10 changed files with 85 additions and 93 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
webgoat-lessons/challenge/src/main/resources/i18n/WebGoatLabels.properties
View File

@ -22,8 +22,7 @@ challenge.flag.incorrect=Sorry this is not the correct flag, please try again.
ip.address.unknown=IP address unknown, e-mail has been sent. ip.address.unknown=IP address unknown, e-mail has been sent.
login_failed=Login failed
login_failed.tom=Sorry only Tom can login at the moment
required4=Missing username or password, please specify both. required4=Missing username or password, please specify both.
user.not.larry=Please try to log in as Larry not {0}. user.not.larry=Please try to log in as Larry not {0}.

2
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/PasswordReset.java
View File

@ -6,7 +6,7 @@ import org.owasp.webgoat.lessons.NewLesson;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
public class PasswordReset extends NewLesson { public class PasswordReset extends NewLesson {
@Override @Override
public Category getDefaultCategory() { public Category getDefaultCategory() {
return Category.AUTHENTICATION; return Category.AUTHENTICATION;

2
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/questions/QuestionsAssignment.java → webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/QuestionsAssignment.java
View File

@ -1,4 +1,4 @@
package org.owasp.webgoat.plugin.questions; package org.owasp.webgoat.plugin;
import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.StringUtils;
import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentEndpoint;

20
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/resetlink/ResetLinkAssignment.java → webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/ResetLinkAssignment.java
View File

@ -1,11 +1,13 @@
package org.owasp.webgoat.plugin.resetlink; package org.owasp.webgoat.plugin;
import com.google.common.collect.EvictingQueue; import com.google.common.collect.EvictingQueue;
import com.google.common.collect.Maps; import com.google.common.collect.Maps;
import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult; import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.plugin.PasswordResetEmail; import org.owasp.webgoat.plugin.PasswordResetEmail;
import org.owasp.webgoat.plugin.resetlink.PasswordChangeForm;
import org.springframework.beans.factory.annotation.Value; import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.HttpEntity; import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders; import org.springframework.http.HttpHeaders;
@ -27,6 +29,7 @@ import static org.springframework.web.bind.annotation.RequestMethod.POST;
* @since 8/20/17. * @since 8/20/17.
*/ */
@AssignmentPath("/PasswordReset/reset") @AssignmentPath("/PasswordReset/reset")
@AssignmentHints({"password-reset-hint1", "password-reset-hint2", "password-reset-hint3", "password-reset-hint4", "password-reset-hint5"})
public class ResetLinkAssignment extends AssignmentEndpoint { public class ResetLinkAssignment extends AssignmentEndpoint {
private static final String PASSWORD_TOM_9 = "somethingVeryRandomWhichNoOneWillEverTypeInAsPasswordForTom"; private static final String PASSWORD_TOM_9 = "somethingVeryRandomWhichNoOneWillEverTypeInAsPasswordForTom";
@ -46,12 +49,10 @@ public class ResetLinkAssignment extends AssignmentEndpoint {
private final RestTemplate restTemplate; private final RestTemplate restTemplate;
private final String webWolfMailURL; private final String webWolfMailURL;
private final String webwolfLandingURL;
public ResetLinkAssignment(RestTemplate restTemplate, @Value("${webwolf.url.mail}") String webWolfMailURL, @Value("${webwolf.url.landingpage}") String webwolfLandingURL) { public ResetLinkAssignment(RestTemplate restTemplate, @Value("${webwolf.url.mail}") String webWolfMailURL) {
this.restTemplate = restTemplate; this.restTemplate = restTemplate;
this.webWolfMailURL = webWolfMailURL; this.webWolfMailURL = webWolfMailURL;
this.webwolfLandingURL = webwolfLandingURL;
} }
@RequestMapping(method = POST, value = "/create-password-reset-link") @RequestMapping(method = POST, value = "/create-password-reset-link")
@ -63,7 +64,7 @@ public class ResetLinkAssignment extends AssignmentEndpoint {
if (org.springframework.util.StringUtils.hasText(email)) { if (org.springframework.util.StringUtils.hasText(email)) {
if (email.equals(TOM_EMAIL) && host.contains("8081")) { //User indeed changed the host header. if (email.equals(TOM_EMAIL) && host.contains("8081")) { //User indeed changed the host header.
userToTomResetLink.put(getWebSession().getUserName(), resetLink); userToTomResetLink.put(getWebSession().getUserName(), resetLink);
fakeClickingLinkEmail(cookie, host, resetLink); fakeClickingLinkEmail(host, resetLink);
} else { } else {
sendMailToUser(email, host, resetLink); sendMailToUser(email, host, resetLink);
} }
@ -88,7 +89,7 @@ public class ResetLinkAssignment extends AssignmentEndpoint {
* which user we need to trace the incoming request. In normal situation this HOST will be in your * which user we need to trace the incoming request. In normal situation this HOST will be in your
* full control so every incoming request would be valid. * full control so every incoming request would be valid.
*/ */
private void fakeClickingLinkEmail(String cookie, String host, String resetLink) { private void fakeClickingLinkEmail(String host, String resetLink) {
try { try {
HttpHeaders httpHeaders = new HttpHeaders(); HttpHeaders httpHeaders = new HttpHeaders();
HttpEntity httpEntity = new HttpEntity(httpHeaders); HttpEntity httpEntity = new HttpEntity(httpHeaders);
@ -104,12 +105,12 @@ public class ResetLinkAssignment extends AssignmentEndpoint {
if (TOM_EMAIL.equals(email)) { if (TOM_EMAIL.equals(email)) {
String passwordTom = usersToTomPassword.getOrDefault(getWebSession().getUserName(), PASSWORD_TOM_9); String passwordTom = usersToTomPassword.getOrDefault(getWebSession().getUserName(), PASSWORD_TOM_9);
if (passwordTom.equals(PASSWORD_TOM_9)) { if (passwordTom.equals(PASSWORD_TOM_9)) {
return failed().feedback("login_failed").build(); return trackProgress(failed().feedback("login_failed").build());
} else if (passwordTom.equals(password)) { } else if (passwordTom.equals(password)) {
return success().feedback("challenge.solved").feedbackArgs("test").build(); return trackProgress(success().build());
} }
} }
return failed().feedback("login_failed.tom").build(); return trackProgress(failed().feedback("login_failed.tom").build());
} }
@GetMapping("/reset-password/{link}") @GetMapping("/reset-password/{link}")
@ -124,7 +125,6 @@ public class ResetLinkAssignment extends AssignmentEndpoint {
} }
} }
@PostMapping("/change-password") @PostMapping("/change-password")
public String changePassword(@ModelAttribute("form") PasswordChangeForm form, BindingResult bindingResult) { public String changePassword(@ModelAttribute("form") PasswordChangeForm form, BindingResult bindingResult) {
if (!org.springframework.util.StringUtils.hasText(form.getPassword())) { if (!org.springframework.util.StringUtils.hasText(form.getPassword())) {

3
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/simple/SimpleMailAssignment.java → webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SimpleMailAssignment.java
View File

@ -1,4 +1,4 @@
package org.owasp.webgoat.plugin.simple; package org.owasp.webgoat.plugin;
import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.StringUtils;
import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentEndpoint;
@ -24,6 +24,7 @@ import static java.util.Optional.ofNullable;
* @since 8/20/17. * @since 8/20/17.
*/ */
@AssignmentPath("/PasswordReset/simple-mail") @AssignmentPath("/PasswordReset/simple-mail")
public class SimpleMailAssignment extends AssignmentEndpoint { public class SimpleMailAssignment extends AssignmentEndpoint {
private final String webWolfURL; private final String webWolfURL;

138
webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html
View File

@ -137,95 +137,85 @@
<img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/> <img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="container-fluid"> <form class="attack-form" accept-charset="UNKNOWN"
<div class="row"> method="POST"
<div class="col-md-3"> action="/WebGoat/PasswordReset/reset/login"
<h4 style="border-bottom: 1px solid #c5c5c5;"> enctype="application/json;charset=UTF-8">
<i class="glyphicon glyphicon-user"></i> <div class="container-fluid">
Account Access <div class="row">
</h4> <div class="col-md-3">
<div style="padding: 20px;" id="password-login"> <h4 style="border-bottom: 1px solid #c5c5c5;">
<form id="login-form" class="attack-form" accept-charset="UNKNOWN" <i class="glyphicon glyphicon-user"></i>
method="POST" name="form" Account Access
action="/WebGoat/PasswordReset/reset/login" </h4>
enctype="application/json;charset=UTF-8" role="form"> <div style="padding: 20px;" id="password-login">
<fieldset> <form id="login-form" class="attack-form" accept-charset="UNKNOWN"
<div class="form-group input-group"> method="POST" name="form"
<span class="input-group-addon"> @ </span> action="/WebGoat/PasswordReset/reset/login"
<input class="form-control" placeholder="Email" name="email" type="email" enctype="application/json;charset=UTF-8" role="form">
required="" autofocus=""/> <fieldset>
</div> <div class="form-group input-group">
<div class="form-group input-group"> <span class="input-group-addon"> @ </span>
<input class="form-control" placeholder="Email" name="email" type="email"
required="" autofocus=""/>
</div>
<div class="form-group input-group">
<span class="input-group-addon"> <span class="input-group-addon">
<i class="glyphicon glyphicon-lock"> <i class="glyphicon glyphicon-lock">
</i> </i>
</span> </span>
<input class="form-control" placeholder="Password" name="password" type="password" <input class="form-control" placeholder="Password" name="password"
value="" required=""/> type="password"
</div> value="" required=""/>
<div class="form-group"> </div>
<button type="submit" class="btn btn-primary btn-block"> <div class="form-group">
Access <button type="submit" class="btn btn-primary btn-block">
</button> Access
<p class="help-block"> </button>
<a class="pull-right text-muted" href="#" onclick="showPasswordReset()"> <p class="help-block">
<small>Forgot your password?</small> <a class="pull-right text-muted" href="#" onclick="showPasswordReset()">
</a> <small>Forgot your password?</small>
</p> </a>
</div> </p>
</fieldset> </div>
</form> </fieldset>
</div> </form>
<div style="display: none;" id="password-reset"> </div>
<h4 class=""> <div style="display: none;" id="password-reset">
Forgot your password? <h4 class="">
</h4> Forgot your password?
<form class="attack-form" accept-charset="UNKNOWN" </h4>
method="POST" name="form" <form class="attack-form" accept-charset="UNKNOWN"
action="/WebGoat/PasswordReset/reset/create-password-reset-link" method="POST" name="form"
enctype="application/json;charset=UTF-8" role="form"> action="/WebGoat/PasswordReset/reset/create-password-reset-link"
<fieldset> enctype="application/json;charset=UTF-8" role="form">
<fieldset>
<span class="help-block"> <span class="help-block">
Email address you use to log in to your account Email address you use to log in to your account
<br/> <br/>
We'll send you an email with instructions to choose a new password. We'll send you an email with instructions to choose a new password.
</span> </span>
<div class="form-group input-group"> <div class="form-group input-group">
<span class="input-group-addon"> <span class="input-group-addon">
@ @
</span> </span>
<input class="form-control" placeholder="Email" name="email" type="email" <input class="form-control" placeholder="Email" name="email" type="email"
required=""/> required=""/>
</div> </div>
<button type="submit" class="btn btn-primary btn-block" id="btn-login"> <button type="submit" class="btn btn-primary btn-block" id="btn-login">
Continue Continue
</button> </button>
<p class="help-block"> <p class="help-block">
<a class="text-muted" href="#" onclick="showPassword()"> <a class="text-muted" href="#" onclick="showPassword()">
<small>Account Access</small> <small>Account Access</small>
</a> </a>
</p> </p>
</fieldset> </fieldset>
</form> </form>
</div>
</div> </div>
</div> </div>
</div> </div>
</div>
<br/>
<form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag">
<div class="form-group">
<div class="input-group">
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
style="font-size:20px"></i></div>
<input type="text" class="form-control" id="flag" name="flag"
placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
</div>
<div class="input-group" style="margin-top: 10px">
<button type="submit" class="btn btn-primary">Submit flag</button>
</div>
</div>
</form> </form>
<br/> <br/>

4
webgoat-lessons/password-reset/src/main/resources/i18n/WebGoatLabels.properties
View File

@ -16,4 +16,6 @@ password-reset-hint1=Try to send a password reset link to your own account at {u
password-reset-hint2=Look at the link, can you think how the server creates this link? password-reset-hint2=Look at the link, can you think how the server creates this link?
password-reset-hint3=Tom clicks all the links he receives in his mailbox, you can use the landing page in WebWolf to get the reset link... password-reset-hint3=Tom clicks all the links he receives in his mailbox, you can use the landing page in WebWolf to get the reset link...
password-reset-hint4=The link points to localhost:8080/PasswordReset/.... can you change the host to localhost:8081 password-reset-hint4=The link points to localhost:8080/PasswordReset/.... can you change the host to localhost:8081
password-reset-hint5=Intercept the request and change the host header password-reset-hint5=Intercept the request and change the host header
login_failed=Login failed
login_failed.tom=Sorry only Tom can login at the moment

2
webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_host_header.adoc
View File

@ -14,5 +14,5 @@ The time out is necessary to restrict the attack window, having a link opens up
Tom always resets his password immediately after receiving the email with the link. Tom always resets his password immediately after receiving the email with the link.
Try to reset the password of Tom (tom@webgoat-cloud.org) to your own choice and login as Tom with Try to reset the password of Tom (tom@webgoat-cloud.org) to your own choice and login as Tom with
that password. If you did submit is in the e-mail address and submit again. that password.

2
webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/plugin/LandingAssignment.java
View File

@ -21,7 +21,7 @@ import java.net.URISyntaxException;
@AssignmentPath("/WebWolf/landing") @AssignmentPath("/WebWolf/landing")
public class LandingAssignment extends AssignmentEndpoint { public class LandingAssignment extends AssignmentEndpoint {
@Value("${webworf.url.landingpage}") @Value("${webwolf.url.landingpage}")
private String landingPageUrl; private String landingPageUrl;
@PostMapping @PostMapping

2
webwolf/src/main/java/org/owasp/webwolf/requests/WebWolfTraceRepository.java
View File

@ -20,7 +20,7 @@ import java.util.*;
public class WebWolfTraceRepository implements TraceRepository { public class WebWolfTraceRepository implements TraceRepository {
private final EvictingQueue<Trace> traces = EvictingQueue.create(10000); private final EvictingQueue<Trace> traces = EvictingQueue.create(10000);
private List<String> exclusionList = Lists.newArrayList("/WebWolf/mail","/WebWolf/files", "/login", "/favicon.ico", "/js/", "/webjars/", "/WebWolf/requests", "/css/"); private List<String> exclusionList = Lists.newArrayList("/WebWolf/home", "/WebWolf/mail","/WebWolf/files", "/images/", "/login", "/favicon.ico", "/js/", "/webjars/", "/WebWolf/requests", "/css/", "/mail");
@Override @Override
public List<Trace> findAll() { public List<Trace> findAll() {