verify account assignment hints

2017-07-18 17:48:57 -04:00 · 2017-07-18 17:48:57 -04:00 · 9b643728f8
commit 9b643728f8
parent 0cb4faf15f
2 changed files with 10 additions and 5 deletions
--- a/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/VerifyAccount.java
+++ b/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/VerifyAccount.java
@ -3,6 +3,7 @@ package org.owasp.webgoat.plugin;
 import com.google.common.collect.Lists;
 import org.jcodings.util.Hash;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.session.UserSessionData;
@ -24,15 +25,12 @@ import java.util.Map;
 */

@AssignmentPath("/auth-bypass/verify-account")
+@AssignmentHints({"auth-bypass.hints.verify.1", "auth-bypass.hints.verify.2", "auth-bypass.hints.verify.3", "auth-bypass.hints.verify.4"})
 public class VerifyAccount extends AssignmentEndpoint {

-    String secretValue = "secr37Value";
-
-    //UserSessionData is bound to session and can be used to persist data across multiple assignments
    @Autowired
    UserSessionData userSessionData;

-
    @PostMapping(produces = {"application/json"})
    @ResponseBody
    public AttackResult completed(@RequestParam String userId, @RequestParam String verifyMethod, HttpServletRequest req) throws ServletException, IOException {
@ -49,6 +47,7 @@ public class VerifyAccount extends AssignmentEndpoint {

        // else
        if (verificationHelper.verifyAccount(new Integer(userId),(HashMap)submittedAnswers)) {
+            userSessionData.setValue("account-verified-id", userId);
            return trackProgress(success()
            .feedback("verify-account.success")
            .build());
--- a/webgoat-lessons/auth-bypass/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/auth-bypass/src/main/resources/i18n/WebGoatLabels.properties
@ -2,4 +2,10 @@ auth-bypass.title=Authentication Bypasses

 verify-account.cheated=It appears you may be using source code to cheat.While that's always helpful when hacking. Please try again.
 verify-account.failed=Not quite, please try again.
-verify-account.success=Congrats, you have successfully verified the account without actually verifying it!
+verify-account.success=Congrats, you have successfully verified the account without actually verifying it. You can now change your password!
+
+auth-bypass.hints.verify.1=The attack on this is similar to the story referenced, but not exactly the same.
+auth-bypass.hints.verify.2=You do want to tamper the  security  question parameters, but not delete them
+auth-bypass.hints.verify.3=The logic to verify the account does expect 2 security questions to be answered, but there is a flaw in the implementation
+auth-bypass.hints.verify.4=Have you tried renaming the secQuestion0 and secQuestion1 parameters?
+