From 91e6f7091901670a7a763a4add623ba7349e3ea7 Mon Sep 17 00:00:00 2001 From: Benedikt - Desktop Date: Sun, 2 Dec 2018 17:35:20 +0100 Subject: [PATCH] Added lesson (no content yet) for explaining nist password standards. --- webgoat-lessons/pom.xml | 3 +- webgoat-lessons/secure-passwords/pom.xml | 11 ++++++ .../owasp/webgoat/plugin/SecurePasswords.java | 39 +++++++++++++++++++ .../main/resources/html/SecurePasswords.html | 13 +++++++ .../resources/i18n/WebGoatLabels.properties | 1 + .../src/main/resources/js/questions_cia.json | 35 +++++++++++++++++ .../lessonPlans/en/SecurePasswords_1.adoc | 1 + .../lessonPlans/en/SecurePasswords_intro.adoc | 2 + .../resources/i18n/WebGoatLabels.properties | 2 +- webgoat-server/pom.xml | 5 +++ 10 files changed, 110 insertions(+), 2 deletions(-) create mode 100644 webgoat-lessons/secure-passwords/pom.xml create mode 100644 webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/plugin/SecurePasswords.java create mode 100644 webgoat-lessons/secure-passwords/src/main/resources/html/SecurePasswords.html create mode 100644 webgoat-lessons/secure-passwords/src/main/resources/i18n/WebGoatLabels.properties create mode 100644 webgoat-lessons/secure-passwords/src/main/resources/js/questions_cia.json create mode 100644 webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_1.adoc create mode 100644 webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_intro.adoc diff --git a/webgoat-lessons/pom.xml b/webgoat-lessons/pom.xml index bbbe5a149..5efff3d9d 100644 --- a/webgoat-lessons/pom.xml +++ b/webgoat-lessons/pom.xml @@ -32,11 +32,12 @@ vulnerable-components webgoat-introduction webwolf-introduction - auth-bypass + auth-bypass missing-function-ac csrf password-reset ssrf + secure-passwords diff --git a/webgoat-lessons/secure-passwords/pom.xml b/webgoat-lessons/secure-passwords/pom.xml new file mode 100644 index 000000000..5d20882f0 --- /dev/null +++ b/webgoat-lessons/secure-passwords/pom.xml @@ -0,0 +1,11 @@ + + 4.0.0 + secure-passwords + jar + + org.owasp.webgoat.lesson + webgoat-lessons-parent + v8.0.0.SNAPSHOT + + \ No newline at end of file diff --git a/webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/plugin/SecurePasswords.java b/webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/plugin/SecurePasswords.java new file mode 100644 index 000000000..d4f5be6d6 --- /dev/null +++ b/webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/plugin/SecurePasswords.java @@ -0,0 +1,39 @@ +package org.owasp.webgoat.plugin; + +import com.beust.jcommander.internal.Lists; +import org.owasp.webgoat.lessons.Category; +import org.owasp.webgoat.lessons.NewLesson; + +import java.util.List; + +/** + * @author BenediktStuhrmann + * @since 12/2/18. + */ +public class SecurePasswords extends NewLesson { + + @Override + public Category getDefaultCategory() { + return Category.AUTHENTICATION; + } + + @Override + public List getHints() { + return Lists.newArrayList(); + } + + @Override + public Integer getDefaultRanking() { + return 3; + } + + @Override + public String getTitle() { + return "secure-passwords.title"; + } + + @Override + public String getId() { + return "SecurePasswords"; + } +} diff --git a/webgoat-lessons/secure-passwords/src/main/resources/html/SecurePasswords.html b/webgoat-lessons/secure-passwords/src/main/resources/html/SecurePasswords.html new file mode 100644 index 000000000..999524d90 --- /dev/null +++ b/webgoat-lessons/secure-passwords/src/main/resources/html/SecurePasswords.html @@ -0,0 +1,13 @@ + + + + +
+
+
+ +
+
+
+ + \ No newline at end of file diff --git a/webgoat-lessons/secure-passwords/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/secure-passwords/src/main/resources/i18n/WebGoatLabels.properties new file mode 100644 index 000000000..02f2a60ef --- /dev/null +++ b/webgoat-lessons/secure-passwords/src/main/resources/i18n/WebGoatLabels.properties @@ -0,0 +1 @@ +secure-passwords.title=Secure Passwords diff --git a/webgoat-lessons/secure-passwords/src/main/resources/js/questions_cia.json b/webgoat-lessons/secure-passwords/src/main/resources/js/questions_cia.json new file mode 100644 index 000000000..4c43fae60 --- /dev/null +++ b/webgoat-lessons/secure-passwords/src/main/resources/js/questions_cia.json @@ -0,0 +1,35 @@ +{ + "questions": [{ + "text": "How could an intruder harm the security goal of confidentiality?", + "solutions": { + "1": "By deleting all the databases.", + "2": "By stealing a database where general configuration information for the system is stored.", + "3": "By stealing a database where names and emails are stored and uploading it to a website.", + "4": "Confidentiality can't be harmed by an intruder." + } + }, { + "text": "How could an intruder harm the security goal of integrity?", + "solutions": { + "1": "By changing the names and emails of one or more users stored in a database.", + "2": "By listening to incoming and outgoing network traffic.", + "3": "By bypassing authentication mechanisms that are in place to manage database access.", + "4": "Integrity can only be harmed when the intruder has physical access to the database storage." + } + }, { + "text": "How could an intruder harm the security goal of availability?", + "solutions": { + "1": "By exploiting bugs in the systems software to bypass authentication mechanisms for databases.", + "2": "By redirecting emails with sensitive data to other individuals.", + "3": "Availability can only be harmed by unplugging the power supply of the storage devices.", + "4": "By launching a denial of service attack on the servers." + } + }, { + "text": "What happens if at least one of the CIA security goals is harmed?", + "solutions": { + "1": "A system can be considered safe until all the goals are harmed. Harming one goal has no effect on the systems security.", + "2": "The systems security is compromised even if only one goal is harmed.", + "3": "It's not that bad when an attacker reads or changes data, at least some data is still available, hence only when the goal of availability is harmed the security of the system is compromised.", + "4": "It shouldn't be a problem if an attacker changes data or makes it unavailable, but reading sensitive data is not tolerable. Theres only a problem when confidentiality is harmed." + } + }] +} \ No newline at end of file diff --git a/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_1.adoc b/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_1.adoc new file mode 100644 index 000000000..0aee77ef3 --- /dev/null +++ b/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_1.adoc @@ -0,0 +1 @@ +== 1 \ No newline at end of file diff --git a/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_intro.adoc b/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_intro.adoc new file mode 100644 index 000000000..2905477dc --- /dev/null +++ b/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_intro.adoc @@ -0,0 +1,2 @@ +== Secure Passwords + diff --git a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties index 1fca278aa..57b72281e 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties +++ b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties @@ -69,7 +69,7 @@ sql-injection.10b.success=