Rename authbypass

2022-07-26 23:46:27 +02:00
parent 005b9f03a4
commit c63345e4ee
12 changed files with 9 additions and 8 deletions
--- a/src/main/resources/lessons/authbypass/documentation/2fa-bypass.adoc
+++ b/src/main/resources/lessons/authbypass/documentation/2fa-bypass.adoc
@ -0,0 +1,15 @@
+
+== 2FA Password Reset
+
+An excellent example of authentication bypass is a recent (2016) example (https://henryhoggard.co.uk/blog/Paypal-2FA-Bypass). He could not receive an SMS with a code, so he opted for
+an alternative method, which involved security questions.  Using a proxy, removed the parameters entirely and won.
+
+image::images/paypal-2fa-bypass.png[Paypal 2FA bypass,1397,645,style="lesson-image"]
+
+
+=== The Scenario
+
+You reset your password, but do it from a location or device that your provider does not recognize. So you need to answer the security questions you set up.  The other issue is
+Those security questions are also stored on another device (not with you), and you don't remember them.
+
+You have already provided your username/email and opted for the alternative verification method.
--- a/src/main/resources/lessons/authbypass/documentation/bypass-intro.adoc
+++ b/src/main/resources/lessons/authbypass/documentation/bypass-intro.adoc
@ -0,0 +1,15 @@
+== Authentication Bypasses
+
+Authentication Bypasses happen in many ways but usually take advantage of some flaw in the configuration or logic. Tampering to achieve the right conditions.
+
+=== Hidden inputs
+
+The simplest form is a reliance on a hidden input in the web page/DOM.
+
+=== Removing Parameters
+
+Sometimes, if an attacker doesn't know the correct value of a parameter, they may remove it from the submission altogether to see what happens.
+
+=== Forced Browsing
+
+If an area of a site is not appropriately protected by configuration, that area of the site may be accessed by guessing/brute-forcing.
--- a/src/main/resources/lessons/authbypass/documentation/lesson-template-video.adoc
+++ b/src/main/resources/lessons/authbypass/documentation/lesson-template-video.adoc
@ -0,0 +1,7 @@
+=== More Content, Video too ...
+
+You can structure and format the content however you like. You can even include video if you like (but may be subject to browser support). You may want to make it more pertinent to web application security than this, though.
+
+video::video/sample-video.m4v[width=480,start=5]
+
+see http://asciidoctor.org/docs/asciidoc-syntax-quick-reference/#videos for more detail on video syntax
--- a/src/main/resources/lessons/authbypass/html/AuthBypass.html
+++ b/src/main/resources/lessons/authbypass/html/AuthBypass.html
@ -0,0 +1,86 @@
+<html xmlns:th="http://www.thymeleaf.org">
+
+    <div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+        <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+        which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+        <div class="adoc-content" th:replace="doc:lessons/authbypass/documentation/bypass-intro.adoc"></div>
+    </div>
+
+    <div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+        <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+        which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+        <div class="adoc-content" th:replace="doc:lessons/authbypass/documentation/2fa-bypass.adoc"></div>
+        <div class="attack-container">
+            <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+            <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
+            <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
+            <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
+
+            <!-- modify the action to point to the intended endpoint and set other attributes as desired -->
+            <script th:src="@{/lesson_js/bypass.js}" />
+            <form class="attack-form" accept-charset="UNKNOWN" id="verify-account-form"
+                  method="POST" name="form"
+                  successCallback="onBypassResponse"
+                  action="/WebGoat/auth-bypass/verify-account">
+                <p>Verify Your Account by answering the questions below:</p>
+
+                <p>What is the name of your favorite teacher?</p>
+                <input name="secQuestion0" value="" type="TEXT" /><br/>
+
+                <p>What is the name of the street you grew up on?</p>
+                <input name="secQuestion1" value="" type="TEXT" /><br/><br />
+
+                <input type="hidden" name="jsEnabled" value="1" />
+                <input type="hidden" name="verifyMethod" value="SEC_QUESTIONS" />
+                <input type="hidden" name="userId" value="12309746" />
+
+                <input name="submit" value="Submit" type="submit"/>
+
+            </form>
+
+            <form class="attack-form" accept-charset="UNKNOWN" id="change-password-form"
+                  method="POST" name="form"
+                  successCallback="onBypassResponse"
+                  action="/WebGoat/auth-bypass/verify-account"
+                  style="display:none"><!-- start off hidden -->
+                <p>Please provide a new password for your account</p>
+
+                <p>Password:</p>
+                <input name="newPassword" value="" type="password" /><br/>
+
+                <p>Confirm Password:</p>
+                <input name="newPasswordConfirm" value="" type="password" /><br/><br />
+
+                <input type="hidden" name="userId" value="12309746" />
+
+                <input name="submit" value="Submit" type="submit"/>
+
+            </form>
+
+            <!-- do not remove the two following div's, this is where your feedback/output will land -->
+            <!-- the attack response will include a 'feedback' and that will automatically go here -->
+            <div class="attack-feedback"></div>
+            <!-- output is intended to be a simulation of what the screen would display in an attack -->
+            <div class="attack-output"></div>
+        </div>
+
+    </div>
+
+    <!--<div class="lesson-page-wrapper">-->
+        <!-- reuse the above lesson-page-wrapper block for each 'page' of content in your lesson -->
+        <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+        <!--<div class="adoc-content" th:replace="doc:lessons/authbypass/documentation/lesson-template-video.adoc"></div>-->
+        <!-- can use multiple adoc's in a page-wrapper if you want ... or not-->
+        <!--<div class="adoc-content" th:replace="doc:lessons/authbypass/documentation/lesson-template-attack.adoc"></div>-->
+
+        <!-- WebGoat will automatically style and scaffold some functionality by using the div.attack-container as below -->
+
+    <!--</div>-->
+
+    <!-- repeat and mix-and-match the lesson-page-wrappers with or wihtout the attack-containers as you like ...
+        see other lessons for other more complex examples -->
+
+</html>
--- a/src/main/resources/lessons/authbypass/i18n/WebGoatLabels.properties
+++ b/src/main/resources/lessons/authbypass/i18n/WebGoatLabels.properties
@ -0,0 +1,11 @@
+auth-bypass.title=Authentication Bypasses
+
+verify-account.cheated=It appears you may be using source code to cheat.While that's always helpful when hacking. Please try again.
+verify-account.failed=Not quite, please try again.
+verify-account.success=Congrats, you have successfully verified the account without actually verifying it. You can now change your password!
+
+auth-bypass.hints.verify.1=The attack on this is similar to the story referenced, but not exactly the same.
+auth-bypass.hints.verify.2=You do want to tamper the  security  question parameters, but not delete them
+auth-bypass.hints.verify.3=The logic to verify the account does expect 2 security questions to be answered, but there is a flaw in the implementation
+auth-bypass.hints.verify.4=Have you tried renaming the secQuestion0 and secQuestion1 parameters?
+
--- a/src/main/resources/lessons/authbypass/images/firefox-proxy-config.png
+++ b/src/main/resources/lessons/authbypass/images/firefox-proxy-config.png
--- a/src/main/resources/lessons/authbypass/images/paypal-2fa-bypass.png
+++ b/src/main/resources/lessons/authbypass/images/paypal-2fa-bypass.png
--- a/src/main/resources/lessons/authbypass/js/bypass.js
+++ b/src/main/resources/lessons/authbypass/js/bypass.js
@ -0,0 +1,15 @@
+// need custom js for this?
+
+webgoat.customjs.onBypassResponse = function(data) {
+    webgoat.customjs.jquery('#verify-account-form').hide();
+    webgoat.customjs.jquery('#change-password-form').show();
+}
+
+var onViewProfile = function () {
+    console.warn("on view profile activated")
+    webgoat.customjs.jquery.ajax({
+        method: "GET",
+        url: "/WebGoat/IDOR/profile",
+        contentType: 'application/json; charset=UTF-8'
+     }).then(webgoat.customjs.idorViewProfile);
+}