Merge pull request #375 from misfir3/develop
Minor Updates to Categories and IDOR hints
This commit is contained in:
		| @ -38,24 +38,25 @@ public enum Category { | ||||
|  | ||||
|     INTRODUCTION("Introduction", new Integer(5)), | ||||
|     GENERAL("General", new Integer(100)), | ||||
|     ACCESS_CONTROL("Access Control Flaws", new Integer(200)), | ||||
|     AJAX_SECURITY("AJAX Security", new Integer(400)), | ||||
|     AUTHENTICATION("Authentication Flaws", new Integer(500)), | ||||
|     BUFFER_OVERFLOW("Buffer Overflows", new Integer(600)), | ||||
|     CODE_QUALITY("Code Quality", new Integer(700)), | ||||
|     CONCURRENCY("Concurrency", new Integer(800)), | ||||
|     XSS("Cross-Site Scripting (XSS)", new Integer(900)), | ||||
|     ERROR_HANDLING("Improper Error Handling", new Integer(1000)), | ||||
|     INJECTION("Injection Flaws", new Integer(1100)), | ||||
|     DOS("Denial of Service", new Integer(1200)), | ||||
|     INSECURE_COMMUNICATION("Insecure Communication", new Integer(1300)), | ||||
|     INSECURE_CONFIGURATION("Insecure Configuration", new Integer(1400)), | ||||
|     INSECURE_STORAGE("Insecure Storage", new Integer(1500)), | ||||
|     INJECTION("Injection Flaws", new Integer(200)), | ||||
|     AUTHENTICATION("Authentication Flaws", new Integer(300)), | ||||
|     XSS("Cross-Site Scripting (XSS)", new Integer(400)), | ||||
|     ACCESS_CONTROL("Access Control Flaws", new Integer(500)), | ||||
|     INSECURE_CONFIGURATION("Insecure Configuration", new Integer(600)), | ||||
|     INSECURE_COMMUNICATION("Insecure Communication", new Integer(700)), | ||||
|     INSECURE_STORAGE("Insecure Storage", new Integer(800)), | ||||
|     REQUEST_FORGERIES("Request Forgeries", new Integer(900)), | ||||
|     VULNERABLE_COMPONENTS("Vulnerable Components - A9", new Integer(950)), | ||||
|     AJAX_SECURITY("AJAX Security", new Integer(1000)), | ||||
|     BUFFER_OVERFLOW("Buffer Overflows", new Integer(1100)), | ||||
|     CODE_QUALITY("Code Quality", new Integer(1200)), | ||||
|     CONCURRENCY("Concurrency", new Integer(1300)), | ||||
|     ERROR_HANDLING("Improper Error Handling", new Integer(1400)), | ||||
|     DOS("Denial of Service", new Integer(1500)), | ||||
|     MALICIOUS_EXECUTION("Malicious Execution", new Integer(1600)), | ||||
|     CLIENT_SIDE("Client side", new Integer(1700)), | ||||
|     SESSION_MANAGEMENT("Session Management Flaws", new Integer(1800)), | ||||
|     WEB_SERVICES("Web Services", new Integer(1900)), | ||||
|     VULNERABLE_COMPONENTS("Vulnerable Components - A9", new Integer(1950)), | ||||
|     ADMIN_FUNCTIONS("Admin Functions", new Integer(2000)), | ||||
|     CHALLENGE("Challenges", new Integer(3000)); | ||||
|  | ||||
|  | ||||
| @ -91,6 +91,7 @@ define(['jquery', | ||||
|             this.curForm = curForm; | ||||
|             this.$curFeedback = $(curForm).closest('.attack-container').find('.attack-feedback'); | ||||
|             this.$curOutput = $(curForm).closest('.attack-container').find('.attack-output'); | ||||
|  | ||||
|             var formUrl = $(curForm).attr('action'); | ||||
|             var formMethod = $(curForm).attr('method'); | ||||
|             var contentType = ($(curForm).attr('contentType')) ? $(curForm).attr('contentType') : 'application/x-www-form-urlencoded; charset=UTF-8'; | ||||
| @ -100,9 +101,9 @@ define(['jquery', | ||||
|                 method:formMethod, | ||||
|                 contentType:contentType, | ||||
|                 data: submitData, | ||||
|                 complete: function (data) { | ||||
|                     callbackFunction(); | ||||
|                 } | ||||
|                 //complete: function (data) { | ||||
|                     //callbackFunction(data); | ||||
|                 //} | ||||
|             }).then(self.onSuccessResponse.bind(self), self.onErrorResponse.bind(self)); | ||||
|             return false; | ||||
|          }, | ||||
| @ -110,13 +111,20 @@ define(['jquery', | ||||
|         onSuccessResponse: function(data) { | ||||
|             this.renderFeedback(data.feedback); | ||||
|             this.renderOutput(data.output || ""); | ||||
|  | ||||
|             var successCallBackFunctionName = this.$form.attr('successCallback'); | ||||
|             var failureCallbackFunctionName = this.$form.attr('failureCallback'); | ||||
|             //var submitData = (typeof webgoat.customjs[prepareDataFunctionName] === 'function') ? webgoat.customjs[prepareDataFunctionName]() : $(curForm).serialize(); | ||||
|             successCallbackFunction = (typeof webgoat.customjs[successCallBackFunctionName] === 'function') ? webgoat.customjs[successCallBackFunctionName] : function() {}; | ||||
|             failureCallbackFunction = (typeof webgoat.customjs[failureCallbackFunctionName] === 'function') ? webgoat.customjs[failureCallbackFunctionName] : function() {}; | ||||
|             //TODO: refactor back assignmentCompleted in Java | ||||
|             if (data.lessonCompleted || data.assignmentCompleted) { | ||||
|  | ||||
|                 this.markAssignmentComplete(); | ||||
|                 successCallbackFunction(data); //data is likely not useful, except maybe the output ... | ||||
|                 this.trigger('assignment:complete'); | ||||
|             } else { | ||||
|                 this.markAssignmentIncomplete(); | ||||
|                 this.markAssignmentIncomplete(data); //again, data might be useful, especially the output | ||||
|                 failureCallbackFunction(); | ||||
|             } | ||||
|             return false; | ||||
|         }, | ||||
|  | ||||
							
								
								
									
										
											BIN
										
									
								
								webgoat-lessons/auth-bypass/.DS_Store
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										
											BIN
										
									
								
								webgoat-lessons/auth-bypass/.DS_Store
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
										
											Binary file not shown.
										
									
								
							
							
								
								
									
										12
									
								
								webgoat-lessons/auth-bypass/pom.xml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										12
									
								
								webgoat-lessons/auth-bypass/pom.xml
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,12 @@ | ||||
| <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||||
|          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> | ||||
|     <modelVersion>4.0.0</modelVersion> | ||||
|     <artifactId>auth-bypass</artifactId> | ||||
|     <packaging>jar</packaging> | ||||
|     <parent> | ||||
|         <groupId>org.owasp.webgoat.lesson</groupId> | ||||
|         <artifactId>webgoat-lessons-parent</artifactId> | ||||
|         <version>8.0-SNAPSHOT</version> | ||||
|     </parent> | ||||
|  | ||||
| </project> | ||||
							
								
								
									
										
											BIN
										
									
								
								webgoat-lessons/auth-bypass/src/.DS_Store
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										
											BIN
										
									
								
								webgoat-lessons/auth-bypass/src/.DS_Store
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
										
											Binary file not shown.
										
									
								
							
							
								
								
									
										
											BIN
										
									
								
								webgoat-lessons/auth-bypass/src/main/.DS_Store
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										
											BIN
										
									
								
								webgoat-lessons/auth-bypass/src/main/.DS_Store
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
										
											Binary file not shown.
										
									
								
							
							
								
								
									
										
											BIN
										
									
								
								webgoat-lessons/auth-bypass/src/main/java/.DS_Store
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										
											BIN
										
									
								
								webgoat-lessons/auth-bypass/src/main/java/.DS_Store
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
										
											Binary file not shown.
										
									
								
							
							
								
								
									
										
											BIN
										
									
								
								webgoat-lessons/auth-bypass/src/main/java/org/.DS_Store
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										
											BIN
										
									
								
								webgoat-lessons/auth-bypass/src/main/java/org/.DS_Store
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
										
											Binary file not shown.
										
									
								
							
							
								
								
									
										
											BIN
										
									
								
								webgoat-lessons/auth-bypass/src/main/java/org/owasp/.DS_Store
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										
											BIN
										
									
								
								webgoat-lessons/auth-bypass/src/main/java/org/owasp/.DS_Store
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
										
											Binary file not shown.
										
									
								
							
							
								
								
									
										
											BIN
										
									
								
								webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/.DS_Store
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										
											BIN
										
									
								
								webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/.DS_Store
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
										
											Binary file not shown.
										
									
								
							| @ -0,0 +1,69 @@ | ||||
| package org.owasp.webgoat.plugin; | ||||
|  | ||||
| import org.jcodings.util.Hash; | ||||
| import org.owasp.webgoat.session.UserSessionData; | ||||
| import org.springframework.beans.factory.annotation.Autowired; | ||||
|  | ||||
| import java.util.HashMap; | ||||
| import java.util.Map; | ||||
|  | ||||
| /** | ||||
|  * Created by appsec on 7/18/17. | ||||
|  */ | ||||
| public class AccountVerificationHelper { | ||||
|  | ||||
|  | ||||
|  | ||||
|     //simulating database storage of verification credentials | ||||
|     private  static final Integer verifyUserId = new Integer(1223445); | ||||
|     private static final Map<String,String> userSecQuestions = new HashMap<>(); | ||||
|     static { | ||||
|         userSecQuestions.put("secQuestion0","Dr. Watson"); | ||||
|         userSecQuestions.put("secQuestion1","Baker Street"); | ||||
|     } | ||||
|  | ||||
|     private static final Map<Integer,Map> secQuestionStore = new HashMap<>(); | ||||
|     static { | ||||
|         secQuestionStore.put(verifyUserId,userSecQuestions); | ||||
|     } | ||||
|     // end 'data store set up' | ||||
|  | ||||
|     // this is to aid feedback in the attack process and is not intended to be part of the 'vulnerable' code | ||||
|     public boolean didUserLikelylCheat(HashMap<String,String> submittedAnswers) { | ||||
|         boolean likely = false; | ||||
|  | ||||
|         if (submittedAnswers.size() == secQuestionStore.get(verifyUserId).size()) { | ||||
|             likely = true; | ||||
|         } | ||||
|  | ||||
|         if ((submittedAnswers.containsKey("secQuestion0") && submittedAnswers.get("secQuestion0").equals(secQuestionStore.get(verifyUserId).get("secQuestion0"))) && | ||||
|                 (submittedAnswers.containsKey("secQuestion1") && submittedAnswers.get("secQuestion1").equals(secQuestionStore.get(verifyUserId).get("secQuestion1"))) ) { | ||||
|             likely = true; | ||||
|         } else { | ||||
|             likely = false; | ||||
|         } | ||||
|  | ||||
|         return likely; | ||||
|  | ||||
|     } | ||||
|     //end of cheating check ... the method below is the one of real interest. Can you find the flaw? | ||||
|  | ||||
|     public boolean verifyAccount(Integer userId, HashMap<String,String> submittedQuestions ) { | ||||
|         //short circuit if no questions are submitted | ||||
|         if (submittedQuestions.entrySet().size() != secQuestionStore.get(verifyUserId).size()) { | ||||
|             return false; | ||||
|         } | ||||
|  | ||||
|         if (submittedQuestions.containsKey("secQuestion0") && !submittedQuestions.get("secQuestion0").equals(secQuestionStore.get(verifyUserId).get("secQuestion0"))) { | ||||
|             return false; | ||||
|         } | ||||
|  | ||||
|         if (submittedQuestions.containsKey("secQuestion1") && !submittedQuestions.get("seQuestion1").equals(secQuestionStore.get(verifyUserId).get("secQuestion1"))) { | ||||
|             return false; | ||||
|         } | ||||
|  | ||||
|         // else | ||||
|         return true; | ||||
|  | ||||
|     } | ||||
| } | ||||
| @ -0,0 +1,65 @@ | ||||
| package org.owasp.webgoat.plugin; | ||||
|  | ||||
| import com.beust.jcommander.internal.Lists; | ||||
| import org.owasp.webgoat.lessons.Category; | ||||
| import org.owasp.webgoat.lessons.NewLesson; | ||||
|  | ||||
| import java.util.List; | ||||
|  | ||||
| /** | ||||
|  * ************************************************************************************************ | ||||
|  * This file is part of WebGoat, an Open Web Application Security Project utility. For details, | ||||
|  * please see http://www.owasp.org/ | ||||
|  * <p> | ||||
|  * Copyright (c) 2002 - 20014 Bruce Mayhew | ||||
|  * <p> | ||||
|  * This program is free software; you can redistribute it and/or modify it under the terms of the | ||||
|  * GNU General Public License as published by the Free Software Foundation; either version 2 of the | ||||
|  * License, or (at your option) any later version. | ||||
|  * <p> | ||||
|  * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without | ||||
|  * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||||
|  * General Public License for more details. | ||||
|  * <p> | ||||
|  * You should have received a copy of the GNU General Public License along with this program; if | ||||
|  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA | ||||
|  * 02111-1307, USA. | ||||
|  * <p> | ||||
|  * Getting Source ============== | ||||
|  * <p> | ||||
|  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software | ||||
|  * projects. | ||||
|  * <p> | ||||
|  * | ||||
|  * @author misfir3 | ||||
|  * @version $Id: $Id | ||||
|  * @since January 3, 2017 | ||||
|  */ | ||||
| public class AuthBypass extends NewLesson { | ||||
|  | ||||
|     @Override | ||||
|     public Category getDefaultCategory() { | ||||
|         return Category.AUTHENTICATION; | ||||
|     } | ||||
|  | ||||
|     @Override | ||||
|     public List<String> getHints() { | ||||
|         return Lists.newArrayList(); | ||||
|     } | ||||
|  | ||||
|     @Override | ||||
|     public Integer getDefaultRanking() { | ||||
|         return 30; | ||||
|     } | ||||
|  | ||||
|     @Override | ||||
|     public String getTitle() { | ||||
|         return "auth-bypass.title"; | ||||
|     } | ||||
|  | ||||
|     @Override | ||||
|     public String getId() { | ||||
|         return "AuthBypass"; | ||||
|     } | ||||
|  | ||||
| } | ||||
| @ -0,0 +1,80 @@ | ||||
| package org.owasp.webgoat.plugin; | ||||
|  | ||||
| import com.google.common.collect.Lists; | ||||
| import org.jcodings.util.Hash; | ||||
| import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||||
| import org.owasp.webgoat.assignments.AssignmentHints; | ||||
| import org.owasp.webgoat.assignments.AssignmentPath; | ||||
| import org.owasp.webgoat.assignments.AttackResult; | ||||
| import org.owasp.webgoat.session.UserSessionData; | ||||
| import org.owasp.webgoat.session.WebSession; | ||||
| import org.springframework.beans.factory.annotation.Autowired; | ||||
| import org.springframework.web.bind.annotation.*; | ||||
|  | ||||
| import javax.servlet.ServletException; | ||||
| import javax.servlet.http.HttpServletRequest; | ||||
| import javax.servlet.http.HttpServletResponse; | ||||
| import java.io.IOException; | ||||
| import java.util.Collections; | ||||
| import java.util.HashMap; | ||||
| import java.util.List; | ||||
|  | ||||
| import java.util.Map; | ||||
|  | ||||
| /** | ||||
|  * Created by jason on 1/5/17. | ||||
|  */ | ||||
|  | ||||
| @AssignmentPath("/auth-bypass/verify-account") | ||||
| @AssignmentHints({"auth-bypass.hints.verify.1", "auth-bypass.hints.verify.2", "auth-bypass.hints.verify.3", "auth-bypass.hints.verify.4"}) | ||||
| public class VerifyAccount extends AssignmentEndpoint { | ||||
|  | ||||
|     @Autowired | ||||
|     private WebSession webSession; | ||||
|  | ||||
|     @Autowired | ||||
|     UserSessionData userSessionData; | ||||
|  | ||||
|     @PostMapping(produces = {"application/json"}) | ||||
|     @ResponseBody | ||||
|     public AttackResult completed(@RequestParam String userId, @RequestParam String verifyMethod, HttpServletRequest req) throws ServletException, IOException { | ||||
|  | ||||
|  | ||||
|         AccountVerificationHelper verificationHelper = new AccountVerificationHelper(); | ||||
|         Map<String,String> submittedAnswers = parseSecQuestions(req); | ||||
|         if (verificationHelper.didUserLikelylCheat((HashMap)submittedAnswers)) { | ||||
|             return trackProgress(failed() | ||||
|             .feedback("verify-account.cheated") | ||||
|             .output("Yes, you guessed correcctly,but see the feedback message") | ||||
|             .build()); | ||||
|         } | ||||
|  | ||||
|         // else | ||||
|         if (verificationHelper.verifyAccount(new Integer(userId),(HashMap)submittedAnswers)) { | ||||
|             userSessionData.setValue("account-verified-id", userId); | ||||
|             return trackProgress(success() | ||||
|             .feedback("verify-account.success") | ||||
|             .build()); | ||||
|         } else { | ||||
|             return trackProgress(failed() | ||||
|             .feedback("verify-account.failed") | ||||
|             .build()); | ||||
|         } | ||||
|  | ||||
|     } | ||||
|  | ||||
|     private HashMap<String,String> parseSecQuestions (HttpServletRequest req) { | ||||
|  | ||||
|         Map <String,String> userAnswers = new HashMap<>(); | ||||
|         List<String> paramNames = Collections.list(req.getParameterNames()); | ||||
|         for  (String paramName : paramNames) { | ||||
|             //String paramName = req.getParameterNames().nextElement(); | ||||
|             if (paramName.contains("secQuestion")) { | ||||
|                 userAnswers.put(paramName,req.getParameter(paramName)); | ||||
|             } | ||||
|         } | ||||
|         return (HashMap)userAnswers; | ||||
|  | ||||
|     } | ||||
|  | ||||
| } | ||||
							
								
								
									
										
											BIN
										
									
								
								webgoat-lessons/auth-bypass/src/main/resources/.DS_Store
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										
											BIN
										
									
								
								webgoat-lessons/auth-bypass/src/main/resources/.DS_Store
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
										
											Binary file not shown.
										
									
								
							
							
								
								
									
										
											BIN
										
									
								
								webgoat-lessons/auth-bypass/src/main/resources/html/.DS_Store
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										
											BIN
										
									
								
								webgoat-lessons/auth-bypass/src/main/resources/html/.DS_Store
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
										
											Binary file not shown.
										
									
								
							| @ -0,0 +1,88 @@ | ||||
| <html xmlns:th="http://www.thymeleaf.org"> | ||||
|  | ||||
|     <div class="lesson-page-wrapper"> | ||||
|         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> | ||||
|         <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, | ||||
|         which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> | ||||
|         <div class="adoc-content" th:replace="doc:bypass-intro.adoc"></div> | ||||
|     </div> | ||||
|  | ||||
|     <div class="lesson-page-wrapper"> | ||||
|         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> | ||||
|         <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, | ||||
|         which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> | ||||
|         <div class="adoc-content" th:replace="doc:2fa-bypass.adoc"></div> | ||||
|         <div class="attack-container"> | ||||
|             <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> | ||||
|             <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat --> | ||||
|             <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework --> | ||||
|             <!-- of course, you can write your own ajax submission /handling in your own javascript if you like --> | ||||
|  | ||||
|             <!-- modify the action to point to the intended endpoint and set other attributes as desired --> | ||||
|             <script th:src="@{/lesson_js/bypass.js}" /> | ||||
|             <form class="attack-form" accept-charset="UNKNOWN" id="verify-account-form" | ||||
|                   method="POST" name="form" | ||||
|                   successCallback="onBypassResponse" | ||||
|                   action="/WebGoat/auth-bypass/verify-account" | ||||
|                   enctype="application/json;charset=UTF-8"> | ||||
|                 <p>Verify Your Account by answering the questions below:</p> | ||||
|  | ||||
|                 <p>What is the name of your favorite teacher?</p> | ||||
|                 <input name="secQuestion0" value="" type="TEXT" /><br/> | ||||
|  | ||||
|                 <p>What is the name of the street you grew up on?</p> | ||||
|                 <input name="secQuestion1" value="" type="TEXT" /><br/><br /> | ||||
|  | ||||
|                 <input type="hidden" name="jsEnabled" value="1" /> | ||||
|                 <input type="hidden" name="verifyMethod" value="SEC_QUESTIONS" /> | ||||
|                 <input type="hidden" name="userId" value="12309746" /> | ||||
|  | ||||
|                 <input name="submit" value="Submit" type="submit"/> | ||||
|  | ||||
|             </form> | ||||
|  | ||||
|             <form class="attack-form" accept-charset="UNKNOWN" id="change-password-form" | ||||
|                   method="POST" name="form" | ||||
|                   successCallback="onBypassResponse" | ||||
|                   action="/WebGoat/auth-bypass/verify-account" | ||||
|                   enctype="application/json;charset=UTF-8" | ||||
|                   style="display:none"><!-- start off hidden --> | ||||
|                 <p>Please provide a new password for your account</p> | ||||
|  | ||||
|                 <p>Password:</p> | ||||
|                 <input name="newPassword" value="" type="password" /><br/> | ||||
|  | ||||
|                 <p>Confirm Password:</p> | ||||
|                 <input name="newPasswordConfirm" value="" type="password" /><br/><br /> | ||||
|  | ||||
|                 <input type="hidden" name="userId" value="12309746" /> | ||||
|  | ||||
|                 <input name="submit" value="Submit" type="submit"/> | ||||
|  | ||||
|             </form> | ||||
|  | ||||
|             <!-- do not remove the two following div's, this is where your feedback/output will land --> | ||||
|             <!-- the attack response will include a 'feedback' and that will automatically go here --> | ||||
|             <div class="attack-feedback"></div> | ||||
|             <!-- output is intended to be a simulation of what the screen would display in an attack --> | ||||
|             <div class="attack-output"></div> | ||||
|         </div> | ||||
|  | ||||
|     </div> | ||||
|  | ||||
|     <!--<div class="lesson-page-wrapper">--> | ||||
|         <!-- reuse the above lesson-page-wrapper block for each 'page' of content in your lesson --> | ||||
|         <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, | ||||
|         which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> | ||||
|         <!--<div class="adoc-content" th:replace="doc:lesson-template-video.adoc"></div>--> | ||||
|         <!-- can use multiple adoc's in a page-wrapper if you want ... or not--> | ||||
|         <!--<div class="adoc-content" th:replace="doc:lesson-template-attack.adoc"></div>--> | ||||
|  | ||||
|         <!-- WebGoat will automatically style and scaffold some functionality by using the div.attack-container as below --> | ||||
|  | ||||
|     <!--</div>--> | ||||
|  | ||||
|     <!-- repeat and mix-and-match the lesson-page-wrappers with or wihtout the attack-containers as you like ... | ||||
|         see other lessons for other more complex examples --> | ||||
|  | ||||
| </html> | ||||
| @ -0,0 +1,11 @@ | ||||
| auth-bypass.title=Authentication Bypasses | ||||
|  | ||||
| verify-account.cheated=It appears you may be using source code to cheat.While that's always helpful when hacking. Please try again. | ||||
| verify-account.failed=Not quite, please try again. | ||||
| verify-account.success=Congrats, you have successfully verified the account without actually verifying it. You can now change your password! | ||||
|  | ||||
| auth-bypass.hints.verify.1=The attack on this is similar to the story referenced, but not exactly the same. | ||||
| auth-bypass.hints.verify.2=You do want to tamper the  security  question parameters, but not delete them | ||||
| auth-bypass.hints.verify.3=The logic to verify the account does expect 2 security questions to be answered, but there is a flaw in the implementation | ||||
| auth-bypass.hints.verify.4=Have you tried renaming the secQuestion0 and secQuestion1 parameters? | ||||
|  | ||||
										
											Binary file not shown.
										
									
								
							| After Width: | Height: | Size: 200 KiB | 
										
											Binary file not shown.
										
									
								
							| After Width: | Height: | Size: 125 KiB | 
							
								
								
									
										15
									
								
								webgoat-lessons/auth-bypass/src/main/resources/js/bypass.js
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										15
									
								
								webgoat-lessons/auth-bypass/src/main/resources/js/bypass.js
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,15 @@ | ||||
| // need custom js for this? | ||||
|  | ||||
| webgoat.customjs.onBypassResponse = function(data) { | ||||
|     webgoat.customjs.jquery('#verify-account-form').hide(); | ||||
|     webgoat.customjs.jquery('#change-password-form').show(); | ||||
| } | ||||
|  | ||||
| var onViewProfile = function () { | ||||
|     console.warn("on view profile activated") | ||||
|     webgoat.customjs.jquery.ajax({ | ||||
|         method: "GET", | ||||
|         url: "/WebGoat/IDOR/profile", | ||||
|         contentType: 'application/json; charset=UTF-8' | ||||
|      }).then(webgoat.customjs.idorViewProfile); | ||||
| } | ||||
| @ -0,0 +1,15 @@ | ||||
|  | ||||
| == 2FA Password Reset | ||||
|  | ||||
| A recent (2016) example (https://henryhoggard.co.uk/blog/Paypal-2FA-Bypass) is a great example of authentication bypass. He was unable to receive an SMS with a code, so he opted for the provided | ||||
| alternative method, which involved security questions.  Using a proxy, removed the parameters entirely ... and won. | ||||
|  | ||||
| image::images/paypal-2fa-bypass.png[Paypal 2FA bypass,1397,645,style="lesson-image"] | ||||
|  | ||||
|  | ||||
| === The Scenario | ||||
|  | ||||
| You are resetting your password, but doing it from a location or device that your provider does not recognize. So you need to answer the security questions you set up.  The other issue is | ||||
| that those security questions are also stored on another device (not with you) and you don't remember them. | ||||
|  | ||||
| You have already provided your username/email and opted for the alternative verification method. | ||||
| @ -0,0 +1,15 @@ | ||||
| == Authentication Bpasses | ||||
|  | ||||
| Authentication Bypasses happen in many ways, but usually take advantage of some flaw in the configuration or logic. Tampering to achieve the right conditions. | ||||
|  | ||||
| === Hidden inputs | ||||
|  | ||||
| The simplest form is a reliance on a hidden input that is in the web page/DOM. | ||||
|  | ||||
| === Removing Parameters | ||||
|  | ||||
| Sometimes, if an attacker doesn't know the correct value of a parameter, they may remove the parameter from the submission altogether to see what happens. | ||||
|  | ||||
| === Forced Browsing | ||||
|  | ||||
| If an area of a site is not protected properly by configuation, that area of the site may be accessed by guessing/brute-forcing. | ||||
| @ -0,0 +1,7 @@ | ||||
| === More Content, Video too ... | ||||
|  | ||||
| You can structure and format the content however you like. You can even include video if you like (but may be subject to browser support). You may want to make it more pertinent to web application security than this though. | ||||
|  | ||||
| video::video/sample-video.m4v[width=480,start=5] | ||||
|  | ||||
| see http://asciidoctor.org/docs/asciidoc-syntax-quick-reference/#videos for more detail on video syntax | ||||
										
											Binary file not shown.
										
									
								
							| @ -0,0 +1,86 @@ | ||||
| /* | ||||
|  * This file is part of WebGoat, an Open Web Application Security Project utility. For details, | ||||
|  * please see http://www.owasp.org/ | ||||
|  * <p> | ||||
|  * Copyright (c) 2002 - 2017 Bruce Mayhew | ||||
|  * <p> | ||||
|  * This program is free software; you can redistribute it and/or modify it under the terms of the | ||||
|  * GNU General Public License as published by the Free Software Foundation; either version 2 of the | ||||
|  * License, or (at your option) any later version. | ||||
|  * <p> | ||||
|  * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without | ||||
|  * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||||
|  * General Public License for more details. | ||||
|  * <p> | ||||
|  * You should have received a copy of the GNU General Public License along with this program; if | ||||
|  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA | ||||
|  * 02111-1307, USA. | ||||
|  * <p> | ||||
|  * Getting Source ============== | ||||
|  * <p> | ||||
|  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software | ||||
|  * projects. | ||||
|  * <p> | ||||
|  */ | ||||
|  | ||||
| package org.owasp.webgoat.plugin; | ||||
|  | ||||
| import org.hamcrest.CoreMatchers; | ||||
| import org.junit.Before; | ||||
| import org.junit.Test; | ||||
| import org.junit.runner.RunWith; | ||||
| import org.mockito.runners.MockitoJUnitRunner; | ||||
| import org.owasp.webgoat.assignments.AssignmentEndpointTest; | ||||
| import org.springframework.boot.test.context.TestComponent; | ||||
| import org.springframework.http.MediaType; | ||||
| import org.springframework.test.web.servlet.MockMvc; | ||||
| import org.springframework.test.web.servlet.ResultActions; | ||||
| import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; | ||||
|  | ||||
|  | ||||
| import static org.mockito.Mockito.when; | ||||
| import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; | ||||
| import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; | ||||
| import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup; | ||||
|  | ||||
| @RunWith(MockitoJUnitRunner.class) | ||||
| public class BypassVerificationTest extends AssignmentEndpointTest { | ||||
|  | ||||
|     private MockMvc mockMvc; | ||||
|  | ||||
|     @Before | ||||
|     public void setup() { | ||||
|         VerifyAccount verifyAccount = new VerifyAccount(); | ||||
|         init(verifyAccount); | ||||
|         this.mockMvc = standaloneSetup(verifyAccount).build(); | ||||
|     } | ||||
|  | ||||
|     @Test | ||||
|     public void placeHolder() { | ||||
|         assert (true); | ||||
|     } | ||||
|  | ||||
| //TODO: Finish tests below ... getting null on injected/mocked userSession for some reason (in AssignmentEndpoint:58 even though it it mocked via AssignmentEncpointTest and works in other tests) | ||||
| //    @Test | ||||
| //    public void testCheatingDetection() throws Exception { | ||||
| //       ResultActions results = mockMvc.perform(MockMvcRequestBuilders.post("/auth-bypass/verify-account") | ||||
| //               .param("secQuestion0","Dr. Watson") | ||||
| //               .param("secQuestion1","Baker Street") | ||||
| //               .param("verifyMethod","SEC_QUESTIONS") | ||||
| //               .param("userId","1223445")); | ||||
| // | ||||
| //        results.andExpect(status().isOk()) | ||||
| //                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("verify-account.cheated")))); | ||||
| //    } | ||||
|  | ||||
| //    @Test | ||||
| //    public void success() { | ||||
| // | ||||
| //    } | ||||
|  | ||||
| //    @Test | ||||
| //    public void failure() { | ||||
| // | ||||
| //    } | ||||
|  | ||||
| } | ||||
| @ -18,7 +18,7 @@ idor.hints.otherProfile5=To edit the other user's profile, you will use the same | ||||
| idor.hints.otherProfile6=To edit, You will need to change the method, what is the RESTful method  used for 'update' or 'edit'? | ||||
| idor.hints.otherProfile7=You will also need the body of the request (will look something like the profile) | ||||
| idor.hints.otherProfile8=The request should go to ... /WebGoat/IDOR/profile/{Buffalo Bills Id} | ||||
| idor.hints.otherProfile9={\"role\" : 1,\"color\" : \"red\",\"size\" : \"small\",\"name\" : \"Tom Cat\",\"userId\" : \"2342388\"} | ||||
| idor.hints.otherProfile9=Your payload should look something like ... {\"role\" : 1,\"color\" : \"red\",\"size\" : \"small\",\"name\" : \"Tom Cat\",\"userId\" : \"2342388\"} | ||||
|  | ||||
| idor.diff.attributes.missing=You did not list two attributes, comma delimited | ||||
| idor.diff.success=Correct, the two attributes not displayed are userId & role. Keep those in mind | ||||
|  | ||||
| @ -24,7 +24,7 @@ public class JWT extends NewLesson { | ||||
|  | ||||
|     @Override | ||||
|     public Integer getDefaultRanking() { | ||||
|         return null; | ||||
|         return 40; | ||||
|     } | ||||
|  | ||||
|     @Override | ||||
|  | ||||
| @ -27,6 +27,7 @@ | ||||
|         <module>xxe</module> | ||||
|         <module>idor</module> | ||||
|         <module>vulnerable-components</module> | ||||
| 	<module>auth-bypass</module> | ||||
|         <!-- uncomment below to include lesson template in build, also uncomment the dependency in webgoat-server/pom.xml to have it run in the project fully --> | ||||
|         <!--<module>webgoat-lesson-template</module>--> | ||||
|     </modules> | ||||
|  | ||||
| @ -25,7 +25,7 @@ | ||||
|         <form class="attack-form" accept-charset="UNKNOWN" | ||||
|               method="POST" name="form" | ||||
|               prepareData="simpleXXE" | ||||
|               callback="simpleXXECallback" | ||||
|               successCallback="simpleXXECallback" | ||||
|               contentType="application/xml" | ||||
|               action="/WebGoat/xxe/simple"> | ||||
|             <div class="container-fluid"> | ||||
| @ -81,7 +81,7 @@ | ||||
|         <form class="attack-form" accept-charset="UNKNOWN" | ||||
|               method="POST" name="form" | ||||
|               prepareData="contentTypeXXE" | ||||
|               callback="contentTypeXXECallback" | ||||
|               successCallback="contentTypeXXECallback" | ||||
|               action="xxe/content-type" | ||||
|               contentType="application/json"> | ||||
|             <div class="container-fluid"> | ||||
| @ -146,7 +146,7 @@ | ||||
|         <form class="attack-form" accept-charset="UNKNOWN" | ||||
|               method="POST" name="form" | ||||
|               prepareData="blindXXE" | ||||
|               callback="blindXXECallback" | ||||
|               successCallback="blindXXECallback" | ||||
|               action="/WebGoat/xxe/blind" | ||||
|               contentType="application/xml"> | ||||
|             <div class="container-fluid"> | ||||
|  | ||||
| @ -149,6 +149,12 @@ | ||||
|             <artifactId>xxe</artifactId> | ||||
|             <version>${project.version}</version> | ||||
|         </dependency> | ||||
|         <dependency> | ||||
|             <groupId>org.owasp.webgoat.lesson</groupId> | ||||
|             <artifactId>auth-bypass</artifactId> | ||||
|             <version>${project.version}</version> | ||||
|         </dependency> | ||||
|  | ||||
|         <!--uncommment below to run/include lesson template in WebGoat Build--> | ||||
|         <!--<dependency>--> | ||||
|             <!--<groupId>org.owasp.webgoat.lesson</groupId>--> | ||||
|  | ||||
		Reference in New Issue
	
	Block a user