dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix password reset lesson (#1941)

Browse Source 
* docs: improve text

* fix: use correct POST url
This commit is contained in:
Nanne Baars 2024-10-29 17:32:51 +01:00 committed by GitHub
parent 87fae00f03
commit d59153d6d7
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 10 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/main/resources/lessons/passwordreset/documentation/PasswordReset_host_header.adoc
View File

@ -3,17 +3,13 @@
When creating a password reset link you need to make sure:
- It is a unique link with a random token
- It can only be used once
- You can use it only once
- The link is only valid for a limited amount of time.
Sending a link with a random token means an attacker cannot start a simple DOS attack to your website by starting to
block users. The link should not be usable more than once which makes it impossible to change the password again.
The time out is necessary to restrict the attack window, having a link opens up a lot of possibilities for the attacker.
Sending a link with a random token means an attacker cannot start a simple DOS attack to your website by starting to block users. The link should not be usable more than once, which makes it impossible to change the password again. The time-out is necessary to restrict the attack window. Having a link opens up a lot of possibilities for the attacker.
== Assignment
Try to reset the password of Tom (tom@webgoat-cloud.org) to your own choice and login as Tom with
that password. Note: it is not possible to use OWASP ZAP for this lesson, also browsers might not work, command line
tools like `curl` and the like will be more successful for this attack.
Try to reset Tom's password (tom@webgoat-cloud.org) to your own choice and log in as Tom with that password. Note: it is impossible to use OWASP ZAP for this lesson. Also, browsers might not work; command line tools like `curl` and the like will be more successful for this attack.
Tom always resets his password immediately after receiving the email with the link.
Tom is quick to act when it comes to his password. He always resets it immediately after receiving the email with the link.

2
src/main/resources/lessons/passwordreset/templates/password_reset.html
View File

@ -9,7 +9,7 @@
<div class="container">
<div class="row">
<div class="col-xs-12 col-sm-8 col-md-6 col-sm-offset-2 col-md-offset-3">
<form role="form" method="POST" action="PasswordReset/reset/change-password" th:object="${form}" novalidate="novalidate">
<form role="form" method="POST" action="/WebGoat/PasswordReset/reset/change-password" th:object="${form}" novalidate="novalidate">
<h2 class="sign_up_title">Reset your password</h2>
<div class="form-group" th:classappend="${#fields.hasErrors('password')}? 'has-error'">
<input type="hidden" name="resetLink" th:field="*{resetLink}" />

10
src/main/resources/lessons/webwolfintroduction/documentation/Landing_page.adoc
View File

@ -15,9 +15,9 @@ image::images/requests.png[caption="Figure: ", style="lesson-image"]
{nbsp}
{nbsp}
Suppose we tricked a user into clicking on a link he/she received in an email. This link will open up our crafted
password reset link page. The user does not notice any differences compared to the normal password reset page of the company.
The user enters a new password and hits enter. The new password will be sent to your host. In this case, the new
password will be sent to WebWolf. Try to locate the unique code.
Suppose we tricked a user into clicking on a link received in an email. This link will open up our crafted
password reset link page. The user notices no differences from the company's standard password reset page.
The user enters a new password and hits enter. Your host will receive the new password. In this case, the new
password ends up in WebWolf. Try to locate the unique code.
Please be aware that the user will receive an error page after resetting the password. In a real attack scenario the user would probably see a normal success page (this is due to a limit on what we can control with WebWolf)
Please be aware that the user will receive an error page after resetting the password. In an actual attack scenario, the user would probably see a standard success page (this is due to a limit on what we can control with WebWolf)