diff --git a/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/VerifyAccount.java b/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/VerifyAccount.java index a5e671712..1ef8ba7d5 100644 --- a/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/VerifyAccount.java +++ b/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/VerifyAccount.java @@ -3,6 +3,7 @@ package org.owasp.webgoat.plugin; import com.google.common.collect.Lists; import org.jcodings.util.Hash; import org.owasp.webgoat.assignments.AssignmentEndpoint; +import org.owasp.webgoat.assignments.AssignmentHints; import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AttackResult; import org.owasp.webgoat.session.UserSessionData; @@ -24,15 +25,12 @@ import java.util.Map; */ @AssignmentPath("/auth-bypass/verify-account") +@AssignmentHints({"auth-bypass.hints.verify.1", "auth-bypass.hints.verify.2", "auth-bypass.hints.verify.3", "auth-bypass.hints.verify.4"}) public class VerifyAccount extends AssignmentEndpoint { - String secretValue = "secr37Value"; - - //UserSessionData is bound to session and can be used to persist data across multiple assignments @Autowired UserSessionData userSessionData; - @PostMapping(produces = {"application/json"}) @ResponseBody public AttackResult completed(@RequestParam String userId, @RequestParam String verifyMethod, HttpServletRequest req) throws ServletException, IOException { @@ -49,6 +47,7 @@ public class VerifyAccount extends AssignmentEndpoint { // else if (verificationHelper.verifyAccount(new Integer(userId),(HashMap)submittedAnswers)) { + userSessionData.setValue("account-verified-id", userId); return trackProgress(success() .feedback("verify-account.success") .build()); diff --git a/webgoat-lessons/auth-bypass/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/auth-bypass/src/main/resources/i18n/WebGoatLabels.properties index a70b7e1e3..31c590b3b 100644 --- a/webgoat-lessons/auth-bypass/src/main/resources/i18n/WebGoatLabels.properties +++ b/webgoat-lessons/auth-bypass/src/main/resources/i18n/WebGoatLabels.properties @@ -2,4 +2,10 @@ auth-bypass.title=Authentication Bypasses verify-account.cheated=It appears you may be using source code to cheat.While that's always helpful when hacking. Please try again. verify-account.failed=Not quite, please try again. -verify-account.success=Congrats, you have successfully verified the account without actually verifying it! +verify-account.success=Congrats, you have successfully verified the account without actually verifying it. You can now change your password! + +auth-bypass.hints.verify.1=The attack on this is similar to the story referenced, but not exactly the same. +auth-bypass.hints.verify.2=You do want to tamper the security question parameters, but not delete them +auth-bypass.hints.verify.3=The logic to verify the account does expect 2 security questions to be answered, but there is a flaw in the implementation +auth-bypass.hints.verify.4=Have you tried renaming the secQuestion0 and secQuestion1 parameters? +