Added Assignment for Security Questions.

webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html

@@ -236,5 +236,35 @@
     <div class="adoc-content" th:replace="doc:PasswordReset_mitigation.adoc"></div>
 </div>
 
-
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:PasswordReset_SecurityQuestions.adoc"></div>
+    <div class="attack-container">
+        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+        <form class="attack-form" accept-charset="UNKNOWN"
+              method="POST" name="form"
+              action="/WebGoat/PasswordReset/SecurityQuestions"
+              enctype="application/json;charset=UTF-8">
+            <select name="question">
+                <option>What is your favorite animal?</option>
+                <option>In what year was your mother born?</option>
+                <option>What was the time you were born?</option>
+                <option>What is the name of the person you first kissed?</option>
+                <option>What was the house number and street name you lived in as a child?</option>
+                <option>In what town or city was your first full time job?</option>
+                <option>In what city were you born?</option>
+                <option>On which wrist do you were your watch?</option>
+                <option>What was the last name of your favorite teacher in grade three?</option>
+                <option>What is the name of a college/job you applied to but didn't attend?</option>
+                <option>What are the last 5 digits of your drivers license?</option>
+                <option>What was your childhood nickname?</option>
+                <option>Who was your childhood hero?</option>
+                <option>What is your favorite color?</option>
+            </select>
+            <input name="Check Question" value="check" type="SUBMIT"/>
+        </form>
+        <br/>
+        <div class="attack-feedback"></div>
+        <div class="attack-output"></div>
+    </div>
+</div>
 </html>

webgoat-lessons/password-reset/src/main/resources/i18n/WebGoatLabels.properties

@@ -13,7 +13,7 @@ password-reset-solved=Congratulations you solved the assignment, please type in
 password-reset-not-solved=Sorry but you did not redirect the reset link to WebWolf
 
 password-reset-hint1=Try to send a password reset link to your own account at {user}@webgoat.org, you can read this e-mail in WebWolf.
-password-reset-hint2=Look at the link, can you think of how the server creates this link?
+password-reset-hint2=Look at the link, can you think how the server creates this link?
 password-reset-hint3=Tom clicks all the links he receives in his mailbox, you can use the landing page in WebWolf to get the reset link...
 password-reset-hint4=The link points to localhost:8080/PasswordReset/.... can you change the host to localhost:9090?
 password-reset-hint5=Intercept the request and change the host header.

webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_SecurityQuestions.adoc

@@ -0,0 +1,17 @@
+== Choosing a Security Question
+
+We have already talked about Security questions a bit. A good security question should meet the following criteria:
+
+- Safe: The answer should not be easy to research or guess.
+- Stable: The answer should be stable, meaning that it is not subject to change.
+- Memorable: The answer should be easy to remember.
+- Simple: The question should be: precise, easy and consistent.
+- Many: The question should have many possible answers.
+
+== Try It! Choosing a  good security question.
+
+In this assignment your goal is to good security question from the dropdown list below.
+The Assignment is complete when you picked a security question which is considered good.
+
+Note: Some may say that one question is better than another, so this list is a bit subjective.
+      But you should not be having any problem differencing between the good and bad.

webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_host_header.adoc

@@ -4,10 +4,10 @@ When creating a password reset link you need to make sure:
 
 - It is a unique link with a random token
 - It can only be used once
-- The link is only valid for one hour
+- The link is only valid for a limited amount of time.
 
 Send a link with a random token means an attacker cannot start a simple DOS attack to your website by starting to
-block users. The link should not be used more then once which makes it impossible to change the password again.
+block users. The link should not be used more than once which makes it impossible to change the password again.
 The time out is necessary to restrict the attack window, having a link opens up a lot of possibilities for the attacker.
 
 == Assignment
@@ -16,3 +16,4 @@ Try to reset the password of Tom (tom@webgoat-cloud.org) to your own choice and
 that password. Note: it is not possible to use OWASP ZAP for this lesson.
 
 Tom always resets his password immediately after receiving the email with the link.
+

webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_known_questions.adoc

@@ -17,7 +17,7 @@ resets, a good resource for security questions is: http://goodsecurityquestions.
 
 Users can retrieve their password if they can answer the secret question properly. There is no lock-out mechanism on
 this 'Forgot Password' page. Your username is 'webgoat' and your favorite color is 'red'. The goal is to retrieve the
-password of another user.
+password of another user. Users you could try are: "tom", "admin" and "larry".