dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added Assignment for Security Questions.

Browse Source
This commit is contained in:
Tobias-Melzer
2018-12-11 12:52:57 +01:00
committed by Nanne Baars
parent 8b61811278
commit bbb0b607b2
12 changed files with 209 additions and 73 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_SecurityQuestions.adoc Normal file
View File

@ -0,0 +1,17 @@
== Choosing a Security Question
We have already talked about Security questions a bit. A good security question should meet the following criteria:
- Safe: The answer should not be easy to research or guess.
- Stable: The answer should be stable, meaning that it is not subject to change.
- Memorable: The answer should be easy to remember.
- Simple: The question should be: precise, easy and consistent.
- Many: The question should have many possible answers.
== Try It! Choosing a good security question.
In this assignment your goal is to good security question from the dropdown list below.
The Assignment is complete when you picked a security question which is considered good.
Note: Some may say that one question is better than another, so this list is a bit subjective.
But you should not be having any problem differencing between the good and bad.

5
webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_host_header.adoc
View File

@ -4,10 +4,10 @@ When creating a password reset link you need to make sure:
- It is a unique link with a random token
- It can only be used once
- The link is only valid for one hour
- The link is only valid for a limited amount of time.
Send a link with a random token means an attacker cannot start a simple DOS attack to your website by starting to
block users. The link should not be used more then once which makes it impossible to change the password again.
block users. The link should not be used more than once which makes it impossible to change the password again.
The time out is necessary to restrict the attack window, having a link opens up a lot of possibilities for the attacker.
== Assignment
@ -16,3 +16,4 @@ Try to reset the password of Tom (tom@webgoat-cloud.org) to your own choice and
that password. Note: it is not possible to use OWASP ZAP for this lesson.
Tom always resets his password immediately after receiving the email with the link.

2
webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_known_questions.adoc
View File

@ -17,7 +17,7 @@ resets, a good resource for security questions is: http://goodsecurityquestions.
Users can retrieve their password if they can answer the secret question properly. There is no lock-out mechanism on
this 'Forgot Password' page. Your username is 'webgoat' and your favorite color is 'red'. The goal is to retrieve the
password of another user.
password of another user. Users you could try are: "tom", "admin" and "larry".