From b57cfd06b1b9c1095009a8874c521565834a827e Mon Sep 17 00:00:00 2001
From: Jason White <jason.white@owasp.org>
Date: Wed, 19 Jul 2017 08:56:48 -0400
Subject: [PATCH] Started testing. Having issues, but commiting stubs and
 making ticket to return

---
 .../plugin/AccountVerificationHelper.java     |  4 +-
 .../owasp/webgoat/plugin/VerifyAccount.java   |  4 +
 .../plugin/BypassVerificationTest.java        | 86 +++++++++++++++++++
 3 files changed, 92 insertions(+), 2 deletions(-)
 create mode 100644 webgoat-lessons/auth-bypass/src/test/org/owasp/webgoat/plugin/BypassVerificationTest.java

diff --git a/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/AccountVerificationHelper.java b/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/AccountVerificationHelper.java
index 9935827a5..dd9aaeee5 100644
--- a/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/AccountVerificationHelper.java
+++ b/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/AccountVerificationHelper.java
@@ -18,7 +18,7 @@ public class AccountVerificationHelper {
     private  static final Integer verifyUserId = new Integer(1223445);
     private static final Map<String,String> userSecQuestions = new HashMap<>();
     static {
-        userSecQuestions.put("secQuestion0","Mr. Hamurabi");
+        userSecQuestions.put("secQuestion0","Dr. Watson");
         userSecQuestions.put("secQuestion1","Baker Street");
     }
 
@@ -37,7 +37,7 @@ public class AccountVerificationHelper {
         }
 
         if ((submittedAnswers.containsKey("secQuestion0") && submittedAnswers.get("secQuestion0").equals(secQuestionStore.get(verifyUserId).get("secQuestion0"))) &&
-                (submittedAnswers.containsKey("secQuestion1") && submittedAnswers.get("seQuestion1").equals(secQuestionStore.get(verifyUserId).get("secQuestion1"))) ) {
+                (submittedAnswers.containsKey("secQuestion1") && submittedAnswers.get("secQuestion1").equals(secQuestionStore.get(verifyUserId).get("secQuestion1"))) ) {
             likely = true;
         } else {
             likely = false;
diff --git a/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/VerifyAccount.java b/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/VerifyAccount.java
index 1ef8ba7d5..2fc04c5bf 100644
--- a/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/VerifyAccount.java
+++ b/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/VerifyAccount.java
@@ -7,6 +7,7 @@ import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.session.UserSessionData;
+import org.owasp.webgoat.session.WebSession;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.*;
 
@@ -28,6 +29,9 @@ import java.util.Map;
 @AssignmentHints({"auth-bypass.hints.verify.1", "auth-bypass.hints.verify.2", "auth-bypass.hints.verify.3", "auth-bypass.hints.verify.4"})
 public class VerifyAccount extends AssignmentEndpoint {
 
+    @Autowired
+    private WebSession webSession;
+
     @Autowired
     UserSessionData userSessionData;
 
diff --git a/webgoat-lessons/auth-bypass/src/test/org/owasp/webgoat/plugin/BypassVerificationTest.java b/webgoat-lessons/auth-bypass/src/test/org/owasp/webgoat/plugin/BypassVerificationTest.java
new file mode 100644
index 000000000..ddd0cc1da
--- /dev/null
+++ b/webgoat-lessons/auth-bypass/src/test/org/owasp/webgoat/plugin/BypassVerificationTest.java
@@ -0,0 +1,86 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * <p>
+ * Copyright (c) 2002 - 2017 Bruce Mayhew
+ * <p>
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * <p>
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * <p>
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * <p>
+ * Getting Source ==============
+ * <p>
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ * <p>
+ */
+
+package org.owasp.webgoat.plugin;
+
+import org.hamcrest.CoreMatchers;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.owasp.webgoat.assignments.AssignmentEndpointTest;
+import org.springframework.boot.test.context.TestComponent;
+import org.springframework.http.MediaType;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.ResultActions;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+
+
+import static org.mockito.Mockito.when;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
+
+@RunWith(MockitoJUnitRunner.class)
+public class BypassVerificationTest extends AssignmentEndpointTest {
+
+    private MockMvc mockMvc;
+
+    @Before
+    public void setup() {
+        VerifyAccount verifyAccount = new VerifyAccount();
+        init(verifyAccount);
+        this.mockMvc = standaloneSetup(verifyAccount).build();
+    }
+
+    @Test
+    public void placeHolder() {
+        assert (true);
+    }
+
+//TODO: Finish tests below ... getting null on injected/mocked userSession for some reason (in AssignmentEndpoint:58 even though it it mocked via AssignmentEncpointTest and works in other tests)
+//    @Test
+//    public void testCheatingDetection() throws Exception {
+//       ResultActions results = mockMvc.perform(MockMvcRequestBuilders.post("/auth-bypass/verify-account")
+//               .param("secQuestion0","Dr. Watson")
+//               .param("secQuestion1","Baker Street")
+//               .param("verifyMethod","SEC_QUESTIONS")
+//               .param("userId","1223445"));
+//
+//        results.andExpect(status().isOk())
+//                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("verify-account.cheated"))));
+//    }
+
+//    @Test
+//    public void success() {
+//
+//    }
+
+//    @Test
+//    public void failure() {
+//
+//    }
+
+}