dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

verify account assignment hints

Browse Source
This commit is contained in:
Jason White 2017-07-18 17:48:57 -04:00
parent 0cb4faf15f
commit 9b643728f8
2 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/VerifyAccount.java
View File

@ -3,6 +3,7 @@ package org.owasp.webgoat.plugin;
import com.google.common.collect.Lists; import com.google.common.collect.Lists;
import org.jcodings.util.Hash; import org.jcodings.util.Hash;
import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult; import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.UserSessionData; import org.owasp.webgoat.session.UserSessionData;
@ -24,15 +25,12 @@ import java.util.Map;
*/ */
@AssignmentPath("/auth-bypass/verify-account") @AssignmentPath("/auth-bypass/verify-account")
@AssignmentHints({"auth-bypass.hints.verify.1", "auth-bypass.hints.verify.2", "auth-bypass.hints.verify.3", "auth-bypass.hints.verify.4"})
public class VerifyAccount extends AssignmentEndpoint { public class VerifyAccount extends AssignmentEndpoint {
String secretValue = "secr37Value";
//UserSessionData is bound to session and can be used to persist data across multiple assignments
@Autowired @Autowired
UserSessionData userSessionData; UserSessionData userSessionData;
@PostMapping(produces = {"application/json"}) @PostMapping(produces = {"application/json"})
@ResponseBody @ResponseBody
public AttackResult completed(@RequestParam String userId, @RequestParam String verifyMethod, HttpServletRequest req) throws ServletException, IOException { public AttackResult completed(@RequestParam String userId, @RequestParam String verifyMethod, HttpServletRequest req) throws ServletException, IOException {
@ -49,6 +47,7 @@ public class VerifyAccount extends AssignmentEndpoint {
// else // else
if (verificationHelper.verifyAccount(new Integer(userId),(HashMap)submittedAnswers)) { if (verificationHelper.verifyAccount(new Integer(userId),(HashMap)submittedAnswers)) {
userSessionData.setValue("account-verified-id", userId);
return trackProgress(success() return trackProgress(success()
.feedback("verify-account.success") .feedback("verify-account.success")
.build()); .build());

8
webgoat-lessons/auth-bypass/src/main/resources/i18n/WebGoatLabels.properties
View File

@ -2,4 +2,10 @@ auth-bypass.title=Authentication Bypasses
verify-account.cheated=It appears you may be using source code to cheat.While that's always helpful when hacking. Please try again. verify-account.cheated=It appears you may be using source code to cheat.While that's always helpful when hacking. Please try again.
verify-account.failed=Not quite, please try again. verify-account.failed=Not quite, please try again.
verify-account.success=Congrats, you have successfully verified the account without actually verifying it! verify-account.success=Congrats, you have successfully verified the account without actually verifying it. You can now change your password!
auth-bypass.hints.verify.1=The attack on this is similar to the story referenced, but not exactly the same.
auth-bypass.hints.verify.2=You do want to tamper the security question parameters, but not delete them
auth-bypass.hints.verify.3=The logic to verify the account does expect 2 security questions to be answered, but there is a flaw in the implementation
auth-bypass.hints.verify.4=Have you tried renaming the secQuestion0 and secQuestion1 parameters?