From ce7c271bb56465a99431167745f1147ad17be29f Mon Sep 17 00:00:00 2001 From: Jason White Date: Tue, 18 Jul 2017 15:59:46 -0400 Subject: [PATCH] initial cut on auth-bypass lesson --- webgoat-lessons/auth-bypass/.DS_Store | Bin 0 -> 8196 bytes webgoat-lessons/auth-bypass/pom.xml | 12 +++ webgoat-lessons/auth-bypass/src/.DS_Store | Bin 0 -> 8196 bytes .../auth-bypass/src/main/.DS_Store | Bin 0 -> 10244 bytes .../auth-bypass/src/main/java/.DS_Store | Bin 0 -> 8196 bytes .../auth-bypass/src/main/java/org/.DS_Store | Bin 0 -> 8196 bytes .../src/main/java/org/owasp/.DS_Store | Bin 0 -> 8196 bytes .../src/main/java/org/owasp/webgoat/.DS_Store | Bin 0 -> 8196 bytes .../plugin/AccountVerificationHelper.java | 69 ++++++++++++++++ .../org/owasp/webgoat/plugin/AuthBypass.java | 65 +++++++++++++++ .../owasp/webgoat/plugin/VerifyAccount.java | 77 ++++++++++++++++++ .../auth-bypass/src/main/resources/.DS_Store | Bin 0 -> 6148 bytes .../src/main/resources/html/.DS_Store | Bin 0 -> 6148 bytes .../src/main/resources/html/AuthBypass.html | 67 +++++++++++++++ .../resources/i18n/WebGoatLabels.properties | 5 ++ .../resources/images/firefox-proxy-config.png | Bin 0 -> 204442 bytes .../src/main/resources/js/bypass.js | 14 ++++ .../resources/lessonPlans/en/2fa-bypass.adoc | 15 ++++ .../lessonPlans/en/bypass-intro.adoc | 15 ++++ .../lessonPlans/en/lesson-template-video.adoc | 7 ++ .../src/main/resources/video/sample-video.m4v | Bin 0 -> 21278272 bytes .../java/org/owasp/webgoat/plugin/JWT.java | 2 +- webgoat-lessons/pom.xml | 1 + webgoat-server/pom.xml | 6 ++ 24 files changed, 354 insertions(+), 1 deletion(-) create mode 100644 webgoat-lessons/auth-bypass/.DS_Store create mode 100644 webgoat-lessons/auth-bypass/pom.xml create mode 100644 webgoat-lessons/auth-bypass/src/.DS_Store create mode 100644 webgoat-lessons/auth-bypass/src/main/.DS_Store create mode 100644 webgoat-lessons/auth-bypass/src/main/java/.DS_Store create mode 100644 webgoat-lessons/auth-bypass/src/main/java/org/.DS_Store create mode 100644 webgoat-lessons/auth-bypass/src/main/java/org/owasp/.DS_Store create mode 100644 webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/.DS_Store create mode 100644 webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/AccountVerificationHelper.java create mode 100644 webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/AuthBypass.java create mode 100644 webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/VerifyAccount.java create mode 100644 webgoat-lessons/auth-bypass/src/main/resources/.DS_Store create mode 100644 webgoat-lessons/auth-bypass/src/main/resources/html/.DS_Store create mode 100644 webgoat-lessons/auth-bypass/src/main/resources/html/AuthBypass.html create mode 100644 webgoat-lessons/auth-bypass/src/main/resources/i18n/WebGoatLabels.properties create mode 100644 webgoat-lessons/auth-bypass/src/main/resources/images/firefox-proxy-config.png create mode 100644 webgoat-lessons/auth-bypass/src/main/resources/js/bypass.js create mode 100644 webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/2fa-bypass.adoc create mode 100644 webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/bypass-intro.adoc create mode 100644 webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/lesson-template-video.adoc create mode 100644 webgoat-lessons/auth-bypass/src/main/resources/video/sample-video.m4v diff --git a/webgoat-lessons/auth-bypass/.DS_Store b/webgoat-lessons/auth-bypass/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..0d597e3dbf596974fdd877729e0dab83badc8e41 GIT binary patch literal 8196 zcmeHLT}&KB9RL3hN_Y6M1BG%uY`qkbiidKAf@o6@xMCaH6g}X8qPTavz{X|wa=Uk+ zgos9?ZPcjI2VYFAAJx9-ix29HFE*{l_+U*+)ED1;GEpCV@WKD=EFb0Ltp~q-?YAOKVUD2m}b+k_d?PAxc@ugfEw*^p*}Pydwa~Qc`<~ z>RePvMtzy^<&uh=DSk^ikh0;mai{WjLUJ_(1>7=$}x~dpq?X_1pmy zQU+y!K!Ctz1jOE70uJOMo0(gGem4!rZEIV`P)X^IvYiSmuMiKfE`KaFW6z~r)h#%^ zYW|GZGBiEo*9TR1W~Dx4+vaLr&5RiO+$68@l5iDg@x95M`w2|8gIXUF&15jx3?dPMY|4n zEH3h26s6(r!#$_Qa*OBAzxVzJA71$A(q#z(`U?r{-T=y#HAFNgYi8&hgsTtI6zMjo z%;|V4YtOE~@$j8Zr#L8YL_&{bauU&NtBA6Sa8GS--z4V+M}Jf|Ro5u$N!8VzNxsV= zkWXZ7%m4Ot);0^X7FnvZs+ld2v)*HxDdTC~8Flq}SJcKGJMZ>+j-v*}3f&~H5!jv1 zxrS{yBYNH;$=Jopy2$>r)uHd$kfqM*GO9kjm+{Y(35|wx%GQLB=2^n^;eCp7M(F$UI+aq*qTvIKtICi= zLz7)Jv1Y~{HuNMBK!&!kn8GzSY^oXEl&bq!T;T&OU6kXO$`014RAY>d68N(;LPx5* z!w)L_vhuii_es@pPv>-NZB!2_%9yb9Xqv7mjfsPD_8Svzvckniv=?G<6#8KtvS7g+ zybQ0vtME3Qhl}tjd;wp>CAb3L!1r(smf~Q#JBJrydcLDTA^uDwpU90 zm}+Y@^Do{)>8)rM>92Y?`M=O?xl)j;x@LE6ozJ$O)!FiBw4NazDdensY*?A?4KsN? z+4c|xBMofdcH|u=cY)KDIB+;*|sEmmnilLd#lD3f;8*w^ z{w7+LA;&#fj}fBPKD-N?u?6oTVs#R!y72)#g2%8QkK+j(z#$@68b>{HX*h+`XkZ>4 zEMO7m@mYKhpT`&QMSKlk$2TP1HjwT33eBYS$mo-8)=nn1f|~{Sv1{gY&%SEWwz1@9 zwp$^Ksk~*{)-?4ah+YORsI(VNgAVTc)mM%qC~qhNC9=1$_y;(){r&$9eP_^FfIxu2 z&4mD#CR52?8q>U}^vv!p76O=^~eoIn%Ayiy<5kPJKIPUpI$yLN8e7Pj07fO0B Ul;nSO5fJSE!Tv7@c#Efh0lIMvPyhe` literal 0 HcmV?d00001 diff --git a/webgoat-lessons/auth-bypass/pom.xml b/webgoat-lessons/auth-bypass/pom.xml new file mode 100644 index 000000000..fe1fca044 --- /dev/null +++ b/webgoat-lessons/auth-bypass/pom.xml @@ -0,0 +1,12 @@ + + 4.0.0 + auth-bypass + jar + + org.owasp.webgoat.lesson + webgoat-lessons-parent + 8.0-SNAPSHOT + + + diff --git a/webgoat-lessons/auth-bypass/src/.DS_Store b/webgoat-lessons/auth-bypass/src/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..0913be2c6a6da292e48938f7d77736dcbcacfda0 GIT binary patch literal 8196 zcmeHLTWl0n82-t&h|31SzQbY(u z2t)`(2t)`(2>cfipgo(H_#FGbv_^G=K!m_ei2z?840^asDLEyjSURW@M*xzIq!xwR zj5kOcN~V;Yl9DV`P==C}p{R}+D8or_D8H1FQ&P%sKy~;)^=4Ej6clf#@eSb)n36K8 zBLpG@W+K4P?v0QK6CCjB&+plS>jdG}tyeMD&^T}Yg1EMD5&yBo!UrC*JfE$#1<;_U!zACa;YRGDf^sYp@dz7(KVBc@MX6Tgd9y7FqQMN1~ zun*;YPhl{a^W9S3BTFJ@y15cL+g+}kaUQXQq0l}Z^43V;7sGDhIOI?)*Nw8}9K&OU z(DA)sz%B+PHSPT3RqJkT-neC3$L`BZmM&w7<(f7^=zF1a%CU?66+Q*SW{|Tz%kjnr z%N&2#?(@vNorqo1G!eCWjjo-rD3znW#p5jYVO(08*68|iZs{)CR9o@52v~3ET3{LM$qAUsyEJ<95$di@^CYM9%)EQ{w9Z%%EL^VXc&DjSS%No%1M_QHM`fgE^H zfoI`4cphGbv+y2#03XAr@Ht$9FX1b=0zbfy@DuzDzrr>60|7N$iVPFD9GlR<+prlo z;1+Dh9k>%aFog&4UObFPupdvNiCN5{ixW7BkK$u^24BRN@MU}jU&C`UpIDWyJ#_@5 zCcaBmJ<-$^Tx@VQq9yk)IgtKWh<0_cq}Pg-s}$e5YLh0|RL>GY4LSFM6V*ANHlNo~ z?lO^Z?Ybr{*-s?0PtV0%wm?#Zd#^V%je(>w?{8>HCRvQQ8yACZ+MLu_gJ3AP68VyB zp5P+y674kBDA>xoox8|7Uyzb__w1#i;(~Czn{J_@kQS_&M4OXlufutGA3lOl-~xOB zU&HtC3;YJxu#t$h8g-)8EttgHaU4(=+%bJ(3Xu z5d!~11hBCu)03tTtNw>E{TumN+o0z`dU)Y}Q&Nf$s;;{TpuRee3txj=c}z;lDJexL a=|w2Xf9N70+W({dAHuv}+f8rI{r^umCXx04 literal 0 HcmV?d00001 diff --git a/webgoat-lessons/auth-bypass/src/main/.DS_Store b/webgoat-lessons/auth-bypass/src/main/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..7ee598c2b590178fb052c7c2e0e89086ab62c78b GIT binary patch literal 10244 zcmeHMU2GIp6h3F$!t4Mt+k#!F3u{Uv#TF?oP!w=mihw|9+|oa)>+H_hj?T_(c4l`` ztk#hD7o+hfF)`7^R>f%KNu%+>#211w{v~MagT9y;^~uC16B9l6-r2e?+XoY&nA|&= zd+yIU_ul#LH*@x$1pw?X7+nBy08r>=Qd>z`jl}xdeMt%hEgDHAdq|hOT-tWiRR7}= zZP_3ZkO)WwBmxoviNMu>0Qqc|lodkCTp}P5kO(Xwz`hT0x|vJ_az;r0>7a}s0Z7(U zGfz}z#{p&&4`d>cGeS}iB^0J4g((I{3>4qft(Rim;(lf4-96;;DmyFb{ap< z)d3Si%3LBK5x5iq_PW%=y`V!8^vd&lI%iv+zirz*hU)4YmMvGp>I!yg5%tdGlv_&r zx?k}6_54X*vkWsGlm~Txs$3p&U3;Odr-v=Gl+xDhcO75195Y{GIx%87hFj`)3y$GU zB*l0mmf=sOw6%kIvq+|cx?>Joo|U$2%fDXwoIc&z)zh=PBi_~3JKYgK-PPT_ zy(7MBN6+-M_MM`%wD0IUHkO-ya(3>u*WWn%=J^W(1`IwW&{PG>CzY7klU>P-o6S|| zEZ}8(#X%A82)SjvzOBG3IuKEBOKFX4?Z%Q4%+ezyI(;M~8Q$8z=dv4y}&lOXeR`AR_OwzN8<^XAXqZSRv)HDpg zwQ}wH4Xv9yx9{3>an&`ewMe6?juWVkZ{1^=`4c6E?3nIlOvkXC$&n(1)i#G5J!?in zpM}HR>e}Y0I$_Y*$6SNi8QOb_=xJ$=Mo+Sy{dtpeLs7WF#&}d6^4JpeKyg!>st(;p zd#icDpzT}K=m}d-o3>_zh1u4d)aXc2K%*TA8oPVc=qN#-rA2!Y>41-qNn%FEhG~All7Hq8o>tHK6x43!8v#rK7#Y`DSQrJz?U!&Kf+J&GyDR-!Ji0-sN!mjU?Vo+b$C6t z;wEgvt=NM*aToStA0EadcodJ}Fs3k#88k4958^}kFwWo;_$I;S5wR6MR{NHi zs?~A&vR-0lOl#moWmV#&s?~EUvuf{d>RrYe%c^_#Q7?$sht%SpG-{jH#Bzl-two!DM!0OqvA%sK;t3>h#H8YlApYAW-0%RDkUdF?yJd3%kIrzjaXLUjfLL zQn4Q>t*`{yn6PnS7r3Pw3dmi_a#s{r4CL-q9uw{2!Y**j-2uhr1I5TFZYb!FPW{LH z=74c-gE&wiP++41>}OK~4&-4fJ+t=yZkevv+PaLPlG3s*TcxnPjeV4ed{1)PnMrz@ zS8#i@{3$PA|m2Q_bcB|YRg*2T1z9x;uXl(Mteu|3VSjrfUrpsT#~1MRFa~Y-7Z9&9rHm-h)z@eNsy8++1^8dwW+?tgWqcz9}}>cHqGN zrdY?p_W60`2T7`JJlH)jo|}Jqap{dW-#YX5x$|5E6dMUtt`p_6RYk0+wq(Z1u6>sw zw6fgdAb-~pa?&}j)%R<(QWFvR&XiKY=6y2fnU3v_78%z7*};W~M**Ke3ol!9yAZBRS2Xe6k$J7!XMteJx0 zceYpU+FiG|d4I>D3p=hWS0WX%JVAomo_W7%Kwmr$&oRQp*^!wX6{d zeGv}(Ue{Nv@}y3E4>&sW)0Gb-UQ=7Gs;5{@Z{DC-mn7d|PfV4ETs8$wG^}rs<)H^? zT@_b!+PF_vhb=8_Sc)FzZY{US>S&QmqZ}872ij$IjD*k9q}>QMiQ>*KRlS#ud_r@* zlR3ktS)Hfh4hgz-ntbCRAUs00AnOC>2(`@VFd-;Ng>*B3q=_ROv7CPdN!Xy}w zgVXQ~JPXgkE3gD-;eGf7&cWyKC42>6!!rB~zre5X8~g!(BOs!TyOk)Oh%;LlN2tJAn_!K^mFXQXDh)eh$p2ZLGBR;3l z3ZDI9j>6!llvssOyl@MRUJk-&U!~lCbs${c&e5yfStVHPzPO<4mT)agK0urhpPUsk zd^j(`@d5!_v#VB)4ijL;?D{2NK|$Hd@nNm^#G+9}@`+*D`Uc8|2y4mjt8rgcR!V$$ zSuJrHRmyx!S(b>Dl~NyMmhJ4K+ATh>EPMC})dK(Vuza{7D%0-tZ%|u=cj03nvv1%# z_z`}B-{DUJtc>8Q#u`E^io5Y9Y{Z+f37ZM7PP`3o$3xhM{e;+E1lbTFHiqLkL68|Z zh0|za9z87L49?OrG&@UZ2$X$5_O85{eyZ`rX{{H{UPb3&2P#{p?swse_ ziDaUOhTm)}W_RrvJ@?VW0&BOxt?xpSe;p_5U&qO^dxak;9b*ZyabXv@r4kDN`HKMd SkC7eH!TBGY|2~1&X7mqKp#rV| literal 0 HcmV?d00001 diff --git a/webgoat-lessons/auth-bypass/src/main/java/org/.DS_Store b/webgoat-lessons/auth-bypass/src/main/java/org/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..8339472c99d019461c40bd63bbc20760ebcabff9 GIT binary patch literal 8196 zcmeI0U1%It6vxlmB<<|9HM2=$CXL&!B*CU8G25ml(Y9{BOlun&+&hCuK;Oxw@ zGrJp&(MZ8BMDYUzLBT|=DE3KFd=Pvo74ZwIm&TQFint~Lx(7DUp zb3e|xbN7FLduQ(e0QTq9D1ZzA0$t2X+bFw4V*TvekOE!{>qLqN$RrDPCTUp74ZePZ zuYj+BuYj+BuYj+>)u8}Avsn^0dG5Qte(o#aD{xIJ!1jj-UChQjyX;!Nbx_8S0Awqv znI|gKIe^DRJR9@uvTJ!Ljp?2q&flkaiAOrlaVlmMsaLozzX$D)d`9 zQ?+N~?s${B>dYsky3wqbr_fQw)FyOWPwIy5JSYU&Cm}U1F1AOzx_a9p(P+<7TVyeM z;K2U2NcX|6r6uVHL1=6}*f%nrS$cY9^^G^*I`j6q^R5u+Z6;7#Cd_B+RWatG@syR$ zlz5eBX4v^r_nk+;Dr)w9iDvR(NW3#4)v)=W%s9Gb+7nvVCYz9|Z4&ZW$}+w0H<_}G zT-vk~QYfVushpuWTAyLW^@lWj%Fz}aR+_P`tTVtJ6Oxp(wYxR))AQOOdD~Mu4aeLh z48F6yZrARnz3uzE4_(-CU9}Xd5ycr2)^zmybuBwyVCqgQc1kl<-JF}uGieQN%v91^ zDDXuv$fK^Wm&I9?#vZX$7N<%d2yRbfy)2(%Jp);da#av`z@CUKj@fJqis#teB8p=V z(E3WYH)!iVQ64vxq-IEJ&<*RjMU*G=t~Andukk>aC{L02X_~Yh!ZxqDr&pHmWp_TI z*v`p}X40(A)9nu*xnqZ1FZUO}O8Hk5glQJlr>ZpDrr2J0NrO$XPH%AqXn+oS=p2Pv z&>#b+;Td=qo`Y9l70$x@@ClrQ&*4k>3ciLl_!)kIU*R|S1O7%pL=meogf&=;H{gxf zgw5E39oU7pVmJ0+A0ETwcmhXo0uz|T6snlUhw%}76qoTSd>&uM*Kq|`@jX0?AL2*u zoB~Bmhf4sYB7REQdJw&rZ-L26ffydD6^H*H5ZAW5_|@*L^LXsLxTs~zSjrQJ$fbnS zQ>23fx(>+;1Zl&rMln22kZB9$%U;Am+Ug?2y!S-HVM*ZBuxfJ)RRe^!z{hIc7Z#-o z4lwH_Hp5aCN0n8HN>QrhFtch;FZFKW%(Cj?Bh(A-4~W%+En$&%s(*vq3cL#+bJV_p z@8C!H34Vt^39>2ztR5Q(uQ2Y$o3Isc#x`sxz`~H6PEKhGovtm__*4PsOiYxdIjL5HdUe4{iSb|H^OVkKildD{$2+ zfR%&s!G4YM< V0sJo{dn)_SfB*T<5xgd|e*j!~4)Op1 literal 0 HcmV?d00001 diff --git a/webgoat-lessons/auth-bypass/src/main/java/org/owasp/.DS_Store b/webgoat-lessons/auth-bypass/src/main/java/org/owasp/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..2609cccd36d669cdf7efd8f2caf906bc80c36410 GIT binary patch literal 8196 zcmeI0TTC2P7{|YFfigR7WfqDI#ckIBu~a~A6{>ArZqnM45*JvY=sLSI!o=B`&CcvD ziYTUuw-}9=#Kc4sL9Nl)CymAj6JMGd<1ML19`wb;s81$7nV9Hz&dfHjln`IMq;ocN zzH|A$GiUziH#2(%0B|6ub^^!%Ake|Aw3D(cB-YQ4O)22Duui0S01Fgwk_9`HG&Xtr z4ZZ@t0=@#i0=@#i0{;aC=$*}yu*G}d?e%kC0bhZuQUUgSh|s}o)U(U3<&O@^_!fX{ zIW_Y{W!eYun22Yio?Uh=52Z2P-2-}|=xs634X6GHb0-`1?6Pa!a6mU4&^t4FI~3$+ zr??1r2aLMb&wT}a1vV?dZktLdfCfpJTfcv|lGO7@GGpkr)6ubpfwJ<79hE{*+{u1Y zNW3dHZxv#W;^gcBC3}X~bX7}w;Jt0-I>o}cpbj!3SwX97xAywHV=!ukN zde<3GSw=2x+6gI?QjAp2P#mq_Fk<=xnmy%c3l1yI*jCmV zDV>I6ZW0FH+Eu%EU*mzcuHGY;c3)E^g{nnyh6FYp{a#(mP868R(~6zaOjS4M;&~>q zp^ckLS_=g}3kG@AwRN&MtJ2t`mdfH(={>>iX{eLsGpuJYt5L2B0uR_9k;QSFO+oP- zo0>&&{61P|$@T_qIVj2#hLY3_Ne#MT?Kg>XJnu>)o%9;JdqjDP79dTNwnNzJHTNBs z<-6ILPbs!@I-{91tBZ8{qsMOBE!W8d#Y-u@L_wHlQT?h)vu%tXaF;dM813*DSb%zH zrx(z1n57#e183nWcp9F8mtYmn!@KYiT!2sEbNB+jgf;jPeuAIj7x)eSL_kClt1yJs zScBK$_1K6_*o^JigEwO@_F+Gsz>|0iM{yDpn8XySn8pY3A$%B@@dWBf`mhKFm!k$(rqwOuZPHG673Ci^chY{^ot zXNrU5lEMip62c+ffaN6uwSI4d7@i=|w1v{8FCrmTx)?F<{gH535;!@m+SE+d0O2k0 zv04s>MX8KK%zBB>uvEcuWmO_ml*&2KtlD>&dUtScS@q~K>IL^EV)bBiSfr=c-$8B# z-i8l3ZePJS@ICwhzrybXS_MH?hxLS5828}~*n&4=E4C42eRvDribrr5M+mh$2)1!T zZ3?GxhG5fh4(CzFEIOFS0xsYqcorYU$MA7N?>T%PU%;2~l@jQVmq2%JGjwTdXh_XD zDS)r-iZJ&t!7^>B+jwN=w|ma!V_DO%%sCprctdQQnqS*qfil-cX8Zr)t-t?oKalU? zE8r{ezf}OshhjqmH2tj}r2*=T&~XnPEHS@j*YXg`me*%2 YQVXSj{6oNof4Bbo-+%ve46nNEFVWu}lmGw# literal 0 HcmV?d00001 diff --git a/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/.DS_Store b/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..3efe5f71232d664d8ac3a94aab516092ac613b82 GIT binary patch literal 8196 zcmeHLU1%It6h3G3)7fcjW|PKD8n<0Zf=x|g{%TTf>*mk2wxPjIvPl|UXLrVAaCT)iuear%!9rNqCN>e34)$`XSO7prXU3^bnbHR zx%ZxP?!EKfZ|>bQ0DuEIwG%)F0D&@-(sn8?k(i$4O)22@FeQ>dfDUG|U}utsmE2_Q zclZeS2>1y22>1y22wV*a(4Ebau*JRaYW>njz(?SkM1Y+S5z0(PJ-O^kesoa5LjaQH z)XfvsDGuO15l==vx$H{rN@Kdw1A4CLg&63%lRm=CNk%=n>`K=i&~*p&W=1bUK|VYA zMYuU&)RlheBj6*j83Fd%R6+&}$iZAm{Qg%mW9YWi(Xobsvhs?`Z9-7o&VEuzyeBqq z6=II!?@dy2PoRZDvHF~ylL*2gW&xL8+`le$(&NV^6t(@}I&%dT^sjq9dr6$Y%F zsoJwKcf7c+I`avsb}Xyq$#qOIwMpI9le(ch4+=r{OGpiii*21<-QBH`&Yqs7*2rRK zcXwB7r1wD2(vtLpAT+cb=pUWVEIqxl`o^1Yoq7A*c^3-wjuWUUf#$PPT#UKSSjtLg z*4b^q&9L)h?st!XRmAQ4b-2kxA@ROX^V~<)Y^HZe{1Xt5gC(EapW-zN!sR{yj*c*|>ahokc@eG@qMREKA z+GEM~25s3d$`gi?)C@@tx^C^ah;lsdLL(jbI=g#Bd5Yjq)1vJVwtC%t2W9zQHuDL^ zc1~tAlU8+}raye-j-7IyJWza;(nl18Y39|hs0Tx z^m?3zXW&_Q4qky(I1BH?CvXlvhcDqP_!`#WXZQtvh2P*0_!|KcMXbUQR$~p`fHz_z zHeoZiV-Mbnz1WBScnpu@2^_^qOkfgIsA3u)#z*i`T*jyHd3+gP#}!<~_wX!!h#$FY z3KXe2vW|jO#ZRdyrK0xiC)#kCzS0c&>EdW`J9xUD4{xt>v+MlMe{ ze~SFz6x~3|3q;fU-3?-Rf@r2Klx}>H5Yjf6M9g|`Bpj9m&KuTjYNlp@$Sv@(TK0!U zsf<&YX^EX-se+T0HHnv^RL<$lntcaJTgh3=num{&7Ti~ewS&!Jk z`v$&)AK@qX9sVSmRS?DMu$~AO#yxlww&2a!ifu%(KD-TY$3r-bBSf^jh-%|Rv?-j% z8KRnob2yJWX3@bs7H|O{!_)XUK7mgX@m|0e@g;l}Un`;9(Gtp?DWzQ68X8h_P72^# zyCTA^H&8Ndsh8Df<}ZJ`=3`mYu*^9cx%e9JN&Mmp5GZqfWfuPrZ~guM3TE(KeFS_2 zu66{ld?+?FK&#y9Xl1c>gz|lqSz>m}uH-IM@Nk?Y564NexPm9DM_7eq)RW7uq#jED U`G)}h-`2nX{rjKO@0u userSecQuestions = new HashMap<>(); + static { + userSecQuestions.put("secQuestion0","Mr. Hamurabi"); + userSecQuestions.put("secQuestion1","Baker Street"); + } + + private static final Map secQuestionStore = new HashMap<>(); + static { + secQuestionStore.put(verifyUserId,userSecQuestions); + } + // end 'data store set up' + + // this is to aid feedback in the attack process and is not intended to be part of the 'vulnerable' code + public boolean didUserLikelylCheat(HashMap submittedAnswers) { + boolean likely = false; + + if (submittedAnswers.size() == secQuestionStore.get(verifyUserId).size()) { + likely = true; + } + + if ((submittedAnswers.containsKey("secQuestion0") && submittedAnswers.get("secQuestion0").equals(secQuestionStore.get(verifyUserId).get("secQuestion0"))) && + (submittedAnswers.containsKey("secQuestion1") && submittedAnswers.get("seQuestion1").equals(secQuestionStore.get(verifyUserId).get("secQuestion1"))) ) { + likely = true; + } else { + likely = false; + } + + return likely; + + } + //end of cheating check ... the method below is the one of real interest. Can you find the flaw? + + public boolean verifyAccount(Integer userId, HashMap submittedQuestions ) { + //short circuit if no questions are submitted + if (submittedQuestions.entrySet().size() != secQuestionStore.get(verifyUserId).size()) { + return false; + } + + if (submittedQuestions.containsKey("secQuestion0") && !submittedQuestions.get("secQuestion0").equals(secQuestionStore.get(verifyUserId).get("secQuestion0"))) { + return false; + } + + if (submittedQuestions.containsKey("secQuestion1") && !submittedQuestions.get("seQuestion1").equals(secQuestionStore.get(verifyUserId).get("secQuestion1"))) { + return false; + } + + // else + return true; + + } +} diff --git a/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/AuthBypass.java b/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/AuthBypass.java new file mode 100644 index 000000000..3588303c4 --- /dev/null +++ b/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/AuthBypass.java @@ -0,0 +1,65 @@ +package org.owasp.webgoat.plugin; + +import com.beust.jcommander.internal.Lists; +import org.owasp.webgoat.lessons.Category; +import org.owasp.webgoat.lessons.NewLesson; + +import java.util.List; + +/** + * ************************************************************************************************ + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + *

+ * Copyright (c) 2002 - 20014 Bruce Mayhew + *

+ * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + *

+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + *

+ * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + *

+ * Getting Source ============== + *

+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software + * projects. + *

+ * + * @author misfir3 + * @version $Id: $Id + * @since January 3, 2017 + */ +public class AuthBypass extends NewLesson { + + @Override + public Category getDefaultCategory() { + return Category.AUTHENTICATION; + } + + @Override + public List getHints() { + return Lists.newArrayList(); + } + + @Override + public Integer getDefaultRanking() { + return 30; + } + + @Override + public String getTitle() { + return "auth-bypass.title"; + } + + @Override + public String getId() { + return "AuthBypass"; + } + +} diff --git a/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/VerifyAccount.java b/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/VerifyAccount.java new file mode 100644 index 000000000..a5e671712 --- /dev/null +++ b/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/VerifyAccount.java @@ -0,0 +1,77 @@ +package org.owasp.webgoat.plugin; + +import com.google.common.collect.Lists; +import org.jcodings.util.Hash; +import org.owasp.webgoat.assignments.AssignmentEndpoint; +import org.owasp.webgoat.assignments.AssignmentPath; +import org.owasp.webgoat.assignments.AttackResult; +import org.owasp.webgoat.session.UserSessionData; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.web.bind.annotation.*; + +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; +import java.util.Collections; +import java.util.HashMap; +import java.util.List; + +import java.util.Map; + +/** + * Created by jason on 1/5/17. + */ + +@AssignmentPath("/auth-bypass/verify-account") +public class VerifyAccount extends AssignmentEndpoint { + + String secretValue = "secr37Value"; + + //UserSessionData is bound to session and can be used to persist data across multiple assignments + @Autowired + UserSessionData userSessionData; + + + @PostMapping(produces = {"application/json"}) + @ResponseBody + public AttackResult completed(@RequestParam String userId, @RequestParam String verifyMethod, HttpServletRequest req) throws ServletException, IOException { + + + AccountVerificationHelper verificationHelper = new AccountVerificationHelper(); + Map submittedAnswers = parseSecQuestions(req); + if (verificationHelper.didUserLikelylCheat((HashMap)submittedAnswers)) { + return trackProgress(failed() + .feedback("verify-account.cheated") + .output("Yes, you guessed correcctly,but see the feedback message") + .build()); + } + + // else + if (verificationHelper.verifyAccount(new Integer(userId),(HashMap)submittedAnswers)) { + return trackProgress(success() + .feedback("verify-account.success") + .build()); + } else { + return trackProgress(failed() + .feedback("verify-account.failed") + .build()); + } + + } + + private HashMap parseSecQuestions (HttpServletRequest req) { + + Map userAnswers = new HashMap<>(); + List paramNames = Collections.list(req.getParameterNames()); + for (String paramName : paramNames) { + //String paramName = req.getParameterNames().nextElement(); + if (paramName.contains("secQuestion")) { + userAnswers.put(paramName,req.getParameter(paramName)); + } + } + return (HashMap)userAnswers; + + } + +} diff --git a/webgoat-lessons/auth-bypass/src/main/resources/.DS_Store b/webgoat-lessons/auth-bypass/src/main/resources/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..6efa04a20a9e4d079ccb94bd03cc4336d7391b9f GIT binary patch literal 6148 zcmeH~y-veW426#&LY2C7WW2A?jq$1~PrwWCQv^sU9a{EmeQl0?jTDHGIx)~=$@e6_ zcCPXbaSXs#ADbnx05GGw;^@oNeBXUy7a6&vnm=Q+f9fB1yPh|vn%8!C#Q|IN$~-eFPFV_@|xaj3;mw{Wz3Cq mF42mq(TaKFt@wJBSNxj$HFanj<%~x;RX+mGMJ57&LEsaswH=rM literal 0 HcmV?d00001 diff --git a/webgoat-lessons/auth-bypass/src/main/resources/html/.DS_Store b/webgoat-lessons/auth-bypass/src/main/resources/html/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..5008ddfcf53c02e82d7eee2e57c38e5672ef89f6 GIT binary patch literal 6148 zcmeH~Jr2S!425mzP>H1@V-^m;4Wg<&0T*E43hX&L&p$$qDprKhvt+--jT7}7np#A3 zem<@ulZcFPQ@L2!n>{z**++&mCkOWA81W14cNZlEfg7;MkzE(HCqgga^y>{tEnwC%0;vJ&^%eQ zLs35+`xjp>T0 + +

+ + +
+
+ +
+ + +
+
+
+ + + + + +