From eaf68d38c5ab47364b5838294a0660a865adee1f Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Fri, 25 May 2018 14:27:45 +0200 Subject: [PATCH] Initial commit for password reset lesson --- .../plugin/HttpBasicsInterceptRequest.java | 2 +- webgoat-lessons/password-reset/pom.xml | 21 +++ .../owasp/webgoat/plugin/PasswordReset.java | 34 +++++ .../webgoat/plugin/PasswordResetEmail.java | 18 +++ .../plugin/questions/QuestionsAssignment.java | 55 +++++++ .../plugin/simple/SimpleMailAssignment.java | 82 +++++++++++ .../src/main/resources/css/password.css | 0 .../main/resources/html/PasswordReset.html | 134 ++++++++++++++++++ .../resources/i18n/WebGoatLabels.properties | 9 ++ .../src/main/resources/images/reset1.png | Bin 0 -> 23130 bytes .../src/main/resources/images/reset2.png | Bin 0 -> 20799 bytes .../src/main/resources/images/slack1.png | Bin 0 -> 24736 bytes .../src/main/resources/images/slack2.png | Bin 0 -> 24086 bytes .../resources/js/password-reset-simple.js | 10 ++ .../en/PasswordReset_host_header.adoc | 17 +++ .../en/PasswordReset_known_questions.adoc | 23 +++ .../en/PasswordReset_password_reset_link.adoc | 3 + .../lessonPlans/en/PasswordReset_plan.adoc | 22 +++ .../lessonPlans/en/PasswordReset_simple.adoc | 6 + .../en/PasswordReset_wrong_message.adoc | 21 +++ webgoat-lessons/pom.xml | 1 + .../en/SqlInjection_challenge.adoc | 2 + webgoat-server/pom.xml | 5 + 23 files changed, 464 insertions(+), 1 deletion(-) create mode 100644 webgoat-lessons/password-reset/pom.xml create mode 100644 webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/PasswordReset.java create mode 100644 webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/PasswordResetEmail.java create mode 100644 webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/questions/QuestionsAssignment.java create mode 100644 webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/simple/SimpleMailAssignment.java create mode 100644 webgoat-lessons/password-reset/src/main/resources/css/password.css create mode 100644 webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html create mode 100644 webgoat-lessons/password-reset/src/main/resources/i18n/WebGoatLabels.properties create mode 100644 webgoat-lessons/password-reset/src/main/resources/images/reset1.png create mode 100644 webgoat-lessons/password-reset/src/main/resources/images/reset2.png create mode 100644 webgoat-lessons/password-reset/src/main/resources/images/slack1.png create mode 100644 webgoat-lessons/password-reset/src/main/resources/images/slack2.png create mode 100644 webgoat-lessons/password-reset/src/main/resources/js/password-reset-simple.js create mode 100644 webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_host_header.adoc create mode 100644 webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_known_questions.adoc create mode 100644 webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_password_reset_link.adoc create mode 100644 webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_plan.adoc create mode 100644 webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_simple.adoc create mode 100644 webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_wrong_message.adoc diff --git a/webgoat-lessons/http-proxies/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java b/webgoat-lessons/http-proxies/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java index e39670e57..3c7d42f44 100644 --- a/webgoat-lessons/http-proxies/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java +++ b/webgoat-lessons/http-proxies/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java @@ -48,7 +48,7 @@ public class HttpBasicsInterceptRequest extends AssignmentEndpoint { @RequestMapping(method = RequestMethod.GET) public @ResponseBody - AttackResult completed(HttpServletRequest request) throws IOException { + AttackResult completed(HttpServletRequest request) { String header = null; String param = null; if (request != null && (header = request.getHeader("x-request-intercepted")) != null diff --git a/webgoat-lessons/password-reset/pom.xml b/webgoat-lessons/password-reset/pom.xml new file mode 100644 index 000000000..d87ebc728 --- /dev/null +++ b/webgoat-lessons/password-reset/pom.xml @@ -0,0 +1,21 @@ + + 4.0.0 + password-reset + jar + + org.owasp.webgoat.lesson + webgoat-lessons-parent + v8.0.0.M14 + + + + + org.springframework.security + spring-security-test + 4.1.3.RELEASE + test + + + + diff --git a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/PasswordReset.java b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/PasswordReset.java new file mode 100644 index 000000000..9e4f3143e --- /dev/null +++ b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/PasswordReset.java @@ -0,0 +1,34 @@ +package org.owasp.webgoat.plugin; + +import org.owasp.webgoat.lessons.Category; +import org.owasp.webgoat.lessons.NewLesson; + +import java.util.ArrayList; +import java.util.List; + +public class PasswordReset extends NewLesson { + @Override + public Category getDefaultCategory() { + return Category.AUTHENTICATION; + } + + @Override + public List getHints() { + return new ArrayList(); + } + + @Override + public Integer getDefaultRanking() { + return 10; + } + + @Override + public String getTitle() { + return "password-reset.title"; + } + + @Override + public String getId() { + return "PasswordReset"; + } +} diff --git a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/PasswordResetEmail.java b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/PasswordResetEmail.java new file mode 100644 index 000000000..deec7e5f8 --- /dev/null +++ b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/PasswordResetEmail.java @@ -0,0 +1,18 @@ +package org.owasp.webgoat.plugin; + +import lombok.Builder; +import lombok.Data; + +import java.io.Serializable; +import java.time.LocalDateTime; + +@Builder +@Data +public class PasswordResetEmail implements Serializable { + + private LocalDateTime time; + private String contents; + private String sender; + private String title; + private String recipient; +} \ No newline at end of file diff --git a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/questions/QuestionsAssignment.java b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/questions/QuestionsAssignment.java new file mode 100644 index 000000000..e90f5cb2a --- /dev/null +++ b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/questions/QuestionsAssignment.java @@ -0,0 +1,55 @@ +package org.owasp.webgoat.plugin.questions; + +import org.apache.commons.lang3.StringUtils; +import org.owasp.webgoat.assignments.AssignmentEndpoint; +import org.owasp.webgoat.assignments.AssignmentPath; +import org.owasp.webgoat.assignments.AttackResult; +import org.owasp.webgoat.plugin.PasswordResetEmail; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.http.MediaType; +import org.springframework.web.bind.annotation.PostMapping; +import org.springframework.web.bind.annotation.RequestParam; +import org.springframework.web.bind.annotation.ResponseBody; +import org.springframework.web.client.RestClientException; +import org.springframework.web.client.RestTemplate; + +import java.time.LocalDateTime; +import java.util.HashMap; +import java.util.Map; + +/** + * @author nbaars + * @since 8/20/17. + */ +@AssignmentPath("/PasswordReset/questions") +public class QuestionsAssignment extends AssignmentEndpoint { + + private final static Map COLORS = new HashMap<>(); + + static { + COLORS.put("admin", "green"); + COLORS.put("jerry", "orange"); + COLORS.put("tom", "purple"); + COLORS.put("larry", "yellow"); + COLORS.put("webgoat", "red"); + } + + @PostMapping(consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE) + @ResponseBody + public AttackResult passwordReset(@RequestParam Map json) { + String securityQuestion = (String) json.getOrDefault("securityQuestion", ""); + String username = (String) json.getOrDefault("username", ""); + + if ("webgoat".equalsIgnoreCase(username.toLowerCase())) { + return trackProgress(failed().feedback("password-questions-wrong-user").build()); + } + + String validAnswer = COLORS.get(username.toLowerCase()); + if (validAnswer == null) { + return trackProgress(failed().feedback("password-questions-unknown-user").feedbackArgs(username).build()); + } else if (validAnswer.equals(securityQuestion)) { + return trackProgress(success().build()); + } + return trackProgress(failed().build()); + } +} diff --git a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/simple/SimpleMailAssignment.java b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/simple/SimpleMailAssignment.java new file mode 100644 index 000000000..e608742dd --- /dev/null +++ b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/simple/SimpleMailAssignment.java @@ -0,0 +1,82 @@ +package org.owasp.webgoat.plugin.simple; + +import org.apache.commons.lang3.StringUtils; +import org.owasp.webgoat.assignments.AssignmentEndpoint; +import org.owasp.webgoat.assignments.AssignmentPath; +import org.owasp.webgoat.assignments.AttackResult; +import org.owasp.webgoat.plugin.PasswordResetEmail; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.http.MediaType; +import org.springframework.web.bind.annotation.PostMapping; +import org.springframework.web.bind.annotation.RequestParam; +import org.springframework.web.bind.annotation.ResponseBody; +import org.springframework.web.client.RestClientException; +import org.springframework.web.client.RestTemplate; + +import java.time.LocalDateTime; +import java.util.Map; +import java.util.Optional; + +import static java.util.Optional.ofNullable; + +/** + * @author nbaars + * @since 8/20/17. + */ +@AssignmentPath("/PasswordReset/simple-mail") +public class SimpleMailAssignment extends AssignmentEndpoint { + + private final String webWolfURL; + private RestTemplate restTemplate; + + public SimpleMailAssignment(RestTemplate restTemplate, @Value("${webwolf.url.mail}") String webWolfURL) { + this.restTemplate = restTemplate; + this.webWolfURL = webWolfURL; + } + + @PostMapping(consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE) + @ResponseBody + public AttackResult sendEmail(@RequestParam Map json) { + String email = (String) json.get("emailReset"); + if (StringUtils.isEmpty(email)) { + email = (String) json.getOrDefault("email", "unknown@webgoat.org"); + } + String password = (String) json.getOrDefault("password", ""); + int index = email.indexOf("@"); + String username = email.substring(0, index == -1 ? email.length() : index); + + if (StringUtils.isEmpty(password)) { + return sendEmail(username, email); + } else { + return checkPassword(password, username); + } + } + + private AttackResult checkPassword(String password, String username) { + if (username.equals(getWebSession().getUserName()) && StringUtils.reverse(username).equals(password)) { + return trackProgress(success().build()); + } else { + return trackProgress(failed().feedbackArgs("password-reset-simple.password_incorrect").build()); + } + } + + private AttackResult sendEmail(String username, String email) { + if (username.equals(getWebSession().getUserName())) { + PasswordResetEmail mailEvent = PasswordResetEmail.builder() + .recipient(username) + .title("Simple e-mail assignment") + .time(LocalDateTime.now()) + .contents("Thanks your resetting your password, your new password is: " + StringUtils.reverse(username)) + .sender("webgoat@owasp.org") + .build(); + try { + restTemplate.postForEntity(webWolfURL, mailEvent, Object.class); + } catch (RestClientException e) { + return informationMessage().feedback("password-reset-simple.email_failed").output(e.getMessage()).build(); + } + return informationMessage().feedback("password-reset-simple.email_send").feedbackArgs(email).build(); + } else { + return informationMessage().feedback("password-reset-simple.email_mismatch").feedbackArgs(username).build(); + } + } +} diff --git a/webgoat-lessons/password-reset/src/main/resources/css/password.css b/webgoat-lessons/password-reset/src/main/resources/css/password.css new file mode 100644 index 000000000..e69de29bb diff --git a/webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html b/webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html new file mode 100644 index 000000000..4b5373a0f --- /dev/null +++ b/webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html @@ -0,0 +1,134 @@ + + + + +
+
+
+
+
+ + + + +
+ +
+
+
+ +
+ +
+

Account + Access

+
+
+
+ @ + +
+
+ + +
+
+ +

+ + Forgot your password? + +

+
+
+ +
+ +
+
+
+
+
+ +
+
+
+
+
+ +
+
+
+ +
+
+ + + + +
+
+
+
+
+
+ Sign up + Login +

WebGoat Password Recovery

+ +
+ + +
+
+ + +
+
+ +
+ +
+
+
+ + +
+ +
+
+
+
+
+ + + \ No newline at end of file diff --git a/webgoat-lessons/password-reset/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/password-reset/src/main/resources/i18n/WebGoatLabels.properties new file mode 100644 index 000000000..cb073b35a --- /dev/null +++ b/webgoat-lessons/password-reset/src/main/resources/i18n/WebGoatLabels.properties @@ -0,0 +1,9 @@ +password-reset.title=Password reset + +password-reset-simple.email_send=An email has been send to {0} please check your inbox. +password-reset-simple.password_incorrect=Not the correct password please try again. +password-reset-simple.email_failed=There was an error while sending the e-mail. Is WebWolf running? +password-reset-simple.email_mismatch=Of course you can send mail to user {0} however you will not be able to read this e-mail in WebWolf, please use your own username. + +password-questions-wrong-user=You need to find a different user you are logging in with 'webgoat'. +password-questions-unknown-user=User {0} is not a valid user. diff --git a/webgoat-lessons/password-reset/src/main/resources/images/reset1.png b/webgoat-lessons/password-reset/src/main/resources/images/reset1.png new file mode 100644 index 0000000000000000000000000000000000000000..36793a8b599aa4e858f6eeb0716a41752d22118a GIT binary patch literal 23130 zcmcG$1yo$kvoA_Q2q9R2;Fb&!971rn0fM_*aCdh}fPo-ECqQs_cNh}f-8BrZgTtV2 z`2OeJciubqoO9Q^>+V_8v+3Tuy1TlnyZTqvgexgXVZJ7Ljf8}RDg7C!f`s(^5((+q z&8z2#ob{rNSj5juV_7L6(&N)7v#lT=k%Q*=S=$8(2_5h0`wS`N7ZD;8)m2(v0u_ov z{F=61~|?OL`%jRiL#%513}3DMGE3U6e9g6>3{v|ze@j; zSN}!w{~rOjULqPxk%-r4oc@{hw&uOP9*544aK-dm?LX*Ks7NAGqmgnCqiUY32ZwV> z(bz9$OqEXKg5HlrMtuufynCgV6(sQsU=4@%UvI3#?ryoQpCc*B(lguo*Hd24b?Fhi zzHuVK)GM@hWD6_J5KN~e4E9Av$|Ss0WZ&uyX-&NP8KHy$B=fX`_hfEe4ig|B}U6)e#?YUoJj)WIrffJxS#xGqKt}!bZ`ALl6PPAxUkhN>2Q6pC2^3D_7VoW*XhL8zeM69;Si%= z6SOraU+tMQ{Ut?{lRsRV?D$_i&#u}lJ|C;jZz$DiL~{`1U(_0jlRS*DXtr@VwwUq^wiz1*E}%jE;93pxry z>VRa09=2Z#!lke){!pfPHS+q{#vKSJK)g@~5Z%8ZI4bl$Qz;8v_21q~*(BvW*;zaE zu;(H;R#rqp66p%^j&=CuVLx#XRihaaSVG*24Lo}y>UmGbRjP&!C>K<{b;lyr$S(dz zzAGmAGXjdi52W(u6!!Hl1v&Nq%9e78!FnW~s$kI}K*g{*8qZ3K;vlZ=XS`|EJpaRW zv|vDhk!6H=fSo+wP8)x+#auy*3bF)n`V7cC%OJPBudBa$` zYRom2(i#Ey$whiubXH}epEK$qcrR}Q{%}!*y&4FsL#doo(;A=|b7 z`NT=O(oz)2cCtGwR(dDT9mcrbmaWKtv%i_3v_3Pys+CjZxSqdyUqC=_J!Wx8cwuAT z&8_Cxwf;5^?Ad?}z-r|p5L#wv1$GOWPP%#9I{Dw+Z1aG8iSa>p&rgi61&DH{!4HVWNWTqWOrjz|#^4B3XZ;xIHx+`+S0aT^9h4DIV- zHrmqYtQ{K5+PL-{_ficfWpxT;&Pu`p*Nu_EbIVsfM?Jwt5+w7q`T1gi?CrH!RvtCv zH%@;q>`k7n4z+c>XOa&awI{DSUW@ztw)o>F-I+W@HgNfP2A|^6+l`&z*l_Jii<4~^ z-x6;w)xn|v4VcxhPcp3^i}#_{HKQrEEynGyBl^{h0FLU@pb#27AYKR=35!_2VQ{q+~5kzMCLa&)r}uD=ZazJE_7YFTNRtZzjeBA(+|J~A#njFXE)6rMkWj#|i)#H5)n-|A! zZ~ty0^bXo8ozcY5{*BtPex*6dT;r$n6uigE=7)$9j?%8y2?N;F7)N)Y@^)BsW4Nf_avTdT4yZ#&( zU5?BubUTBH4*Oih5B-XzNY!kEzh1HpAY-aDn{p#KPdlRCu$LFiDqJy@zYa=GGv@&x ze9WF1zOA=kX=t$R?nuB3Ae=U(bhK`BadbgdA1?bP!LCuiQzvM(w`QSt(U6Jd(9fq8 z!mzJlZc@ii*_P>5q3gx7gA5o+?QGRl&oO;5GNU`YHLCYhon><;-64V9TLLF+_lw~C z{LjYLjNthCRc0l39gNqu%U4-)ZZce_DeD{!$l~+W^81uz(E;OqR57^!k4iGRO~o z$Z{$9t5_y@9g5Y)Y%5mtX@E7_KzB0hr_PN-vF6H*d>$d?5JqgCW2?a=8G)NcVcn+Q z;I@(Okw0Z}ul8%ga@%z~(fTyqxdZ`>q6s9m1;lpXYz6Vi`5BSCiT33H(cG$$ekXegKk?%2J_9s?7>a0!#ox|ewxBK~l?lB|$Vqxm0 z;^su#(vn+BTjBBrEzzWMp1rSo>=-g**CwSb*zX8<7H#!yHUVH3GzGN5a#6^*o8(P6 zPrf7uj+0(!sS=#@Ncm{(B3yO4?QNOP%L{Xm0hvw)F3F<`yh{B6?7CUq9v=>DE4xVn zTmNXg_%ifuDG__Ywl-AT`ti9s877P|vMh2fdt zR5lzMpmo#lt~RDPM%}H??^&S+NjG|f22H|SXQiN)*SmNUG8>)476xx{w2!~xtBJ&v zsp}7&7VEAsUeWrV(Cxv%6H=$0K6%W4&LtfBE2$(C`h;NiuZ#Ang&u zgNr(Qr&5e@3=0BV)>M|_vw4U4ll`tjl6Ugc&(;vl>|-#<2999X7{;>KR= z{M|;o{yRM$q>m-t%JuT@?>SL4NDdWqYxWCz(!xnZjbc`?Ds!lPiITqhl)Q<_@ajGF z=D6%`j)gMqL_SODvcmJ7?x2_5Acx{biw_p5Wi~~PtQLohZ=D}s>T&_>=SeGAiC&2p&*Py)P`H<%B>7897kYekre;e&T$%Aw9ATC z2K#>at<{t`Y1qsMish8?Ws5s30CwmcX-vI-t^xT_n>V)wAjA2PNq`AN#|qFmdzA1nR`vMRBW9(lF0%SSYz=E0}95jxe>a(wup;U6&52rNygvN z|JIh-ofHzETsgwB?{Ol;Fl)uB{8k2|SVgCFf3RHRcS z%E6XSninq@C^_BFJ)Nq|8Gcdn2 zFzjrLFdXsIO4vc<5vW}>Lp5ldgAbq09ZRe zopmr>{1b@uMe>7_Icm0$k6(6M%MhKm{~Wam5D<_TpTv}Z@$^I z-nL1qKj>qu0QK*@&-b=;C-bb0%|wA+g7jljJRfmWNbzv`c@6h`(q6w?!`=&P$1C5 zwAiTirLQV70Gi$kit;6^rgDQKwo9J?l7H7tfxy$2rd=Q~*r+p=?S^5)PdgzJpO?MXZngUkagex14$6e)7!8I_nrb+Gg&RBhA=Yg(J>D)QT_u~%8C z0b%dLDv*Z`b%{@g<(E+F=9^S()l^rzO=RIm}ZfLIzg*XXk zmwg$pKDVi1>Cz@IHduFXb35%Wnr{~XaBu{DYZMCaecV;# zb};r7t$FmM$Pj`a0l?+R>idQS6KZroJ+%Y7$ItPg6D;Q&szRkdI5El}ZtjfIQi0!Q z|Jt}k7_$hO-G;va0=d0}F70%vUCvs+vgzId>AQm{ekZeVAV(bX~2<`t@Mid5l7C~ zs(r^>O3urVA*$$AyLi$D;0jX z0G6F)cbg)Im0`s>w}4qgw<;7jy^!EJcEx!Xg6BQ1*DBoV@TQI1U*i1vD+knp24t3> z(}8ODZLb$#*t71mUd$G1UdW2vicOqGY19WZXH1(R?&Tk8Q`@`+OjfRSYZMX$n1wbS zp?$ocV(>48oBylewR9<;Q@rb9u1z3fvf6L=NjW0~#HpPWbCs-s8T>a%dr@W^1??9pLC z!Hg?|xffz~QOSE?^x4{IS!Ai!J{8OE_!ag@u@Lw1^82p^e{z*{0n?*0G+pX74}(fF z98JU?40AESVQ8avuC@7>gSu?peY~#fl&r)+o(wVj!-~;x*p|A*_nMPk6Z56j04mln zMrsz}{pf=NGc;9k&LhtW7{Qbse(u_pg+09e+kr1itk?r!EyA>WLsymsQfkPL#zFD2 ziHQPb{tNXbgTLIgTBg$DlKtNh{| zu@wCn9dI#OXY{?;OJYce6^w&j9<4*rBnfcB5daPXaXOZfzN9SP$rIz9oeI#wA8p6^ z$L`u+P1(RV2=(%XV(eic&<9i&HBM^I7NxwYhnC?)-&IfM&7K}wd9o!=rO?Ef7-prukD%3Bru`%yWx1(e5E9{D$s%Y zZ|XvuIMAyo0Kf9oSL1;iph6H0vp_r#B(t1_y2*c!)cp&i`_EDwRGKFq{zLCS zOGUa6{6mP#Q(7n$sf=KBq04J4Z)oV}XFvgE z{PguGKZ{ViNg$Hh3(LR88uwT0s?GpFe(w#4QwSfJS~@qG)lQDt;%?Yu<(2F(SqHnt z`x;tLn4S3#ev26lxL>-w&=p^2xD}xuZS?oNzo?`VPby1=QArMqWPBt*%{2PO)Io5* z3!QHJu6f0R%-xkqp#(FN@a5%l^xA~yQ}5(b+`3L=e?%L2dGpPHtdJbtB0!NepD*B# zOVP?X(%A9o@Vo>bSbyd-H-Wo9q|^J-wXWvvYd8iiScYAtJPrH)&^6l|Fu$2t65V{@ zIr@4N838d8+OFs}zD2e{68Q?Cca@TcRPFFMuT2yQ<%Qy-zYwb`YqMC*%DH5{HkJLQ z2iIk>A6=PyKwoA`L-OtjEuhEz_nsiXIb6+kG2yrUdGqE2!Cr=$ zGWaOR{~sn?aBj>+FI1YzRXqFNZm>`jfv)&`6e&RVLQy3g7<3wx{#Ohife>f>-dx9I z;ghGYt$H`0asMsL8}W8jN^oK>HI3P4Q>HFYaYJ=)=DCo__(sC!>LG<0-;2|eih~$gmEf74m@Rgb~PUQb?U%oCEg zT>7>Bh1$(;g5B|=POctjVAqwQ&%vNUVtNi9HwGGCekSecG2f9X7a43V@o17u5R;*xp6dOq0%1) z-UHyBpbT&f<~22S(sW+g&$f(63_S|(BIu`=a#~JY;#uqUy4?O7=TZ3TF+AFPd0!d7 zN=EB>a|BJ>pda4*s+oLI9n~Kx_N8Y{Q)IH&r*J#+-YiLSJZj!sV=eQs5=?8~;tuw2 z_%aRqQE8SzsX;@QzdncLL-zVv8_!suw}T4SPzr>zeu^z|O;;x(#230T5gA4klm?tLw6b)*;r3K5! z4sc^a4fbVr!3PTqX5X;a!4Ex#Sn~qf?rw8B@Q*>B zhLiQKMl*hmbNu}xl=PbRg6=idPk`*HLFEbMPR6B=6UQ~ud)j>!X)!A2=S7t$~-(DvmP;W|8 zwZ4}=b+5|y7C7A>YxFItj;>9>cG@^OlB(K~_@n#MEyUoG#)SFpL@p@f%2wD}zXLx* z6`NJxw&5yu4PURepRd|8yk|bP>ICz~^PtkeJ#WDCXlEq@Thg@8q}_nJsH zlFt9ZtB3LX#DiCZ;4W(0`d&+yZUw#&l6O-CyBbFz)r_=mLBfDG=RoEPJz`Yw?jNaFDD3 zX)o6K95|KYxIMiHD;bXB)9&J(ZBWIQed z)+bx7_GqTNbeW2}2K}x&--+vEJ{uHYKsL--3BWoGjh1?_2{k2w5C<_$ZfMPg#P_GQG-=X<52u= z9eKyTYuq+0FP;lF{NCSz^$YtbC;;`A;B+$;6-f+56)Gn_ z!|4O%tDaFM8#;;9&|iB^?n(Oh`UY!4su!f9Fx|>*c2+> zb?@F?^p|S9Z+{O2I5}!=U6dvGYh$DcPUjTs=6N2e5<&_fWJ%=i)a3`K^yQQ+#M|R6 zJ2lGnt;K_lm9*{E^o`Dsg-p4xJZ~I=wl`<%JaL*DL0WdC5`Kvht8PCGV<6Dl5gLi5>d*XBz}hL=ntkY@->IYDJa!n6>%XYO4Z zB(=wUPD)TsN<(|9zcB*)kl^yLTirJ|vMs&vsAHGc{D&6U?X!V0!h-%M79fP+WAJRF ziuX~M(RDKu#i+>=om;_Irb`u>;qm@y+(@nzW_tYds&9ppxSn^K@Lt$F<_fc3OeAdytyQc{IfaO8ZRbT;4;MV6OmM(yiksL{=c>I;b~PS=pI$+As5(ba9;uF)-76h@=#dci6vbX^BycdJAhl*L>o)zo|DKO3T(bPYm7 zLM(2UX1PLY_mdNOZ6g`mp6=;;EH?+Y#I{k}6@3iEAFXzcM{V9Rs%sMWLfUQyam|Y2 zCTRQA+=z93=61L5`dl&^#}xhCj^I^ zml-I}kY|`=R&`DsSdEtgQXdrW_0oHkMYK_5@wMxE-ZUTY%?ha!>Q*vYsYFElGm0?37F388Hw>|>TRMrDG}54dJnw} z#h*XNB`1eI0-^NDDP`~)UJk70u8&csd3zCCP^Z@+m!C8o5=#_#DJHqd(U*C)+se5% z7dNZ%Sjm^F9mO8AT*Qs@+@^ywZBE`91EjlnqeMT`Xch^)bXB|ZdF6A{OvgS_cc%P0 z>YIxK=c|y_I){12?2Fx~%x&hvT)Et2+pPB;2Fk3w?n~mS;BV2c% zL^p3Pck%K=HLmSm*4c<=k^tor`~>CFoDhofGy36(MAQA7;N9VXeu+v~NRfTtmd{NR zsodSo>MOTq6!p}s^~#{`SxmD6uJX1IG=Y4fYdyy#Xy3$yVo%3drNM7@`Cf{Ah;<~1 znlgW;HabZqEyGEWDO91RA8TG1W~22Ao~NmuX<$|aECzqF<`sW^D2O`mgZ26yAcTX4 zWp4qFCpFSb5U>``3t}Qur}j%oIQMU@NaGOwpVDTaERgOL$XmW4Aey>jn%WtXLfO^(=d`r`UM$ zt`BOx`8~zytYS%rw$@HOGemel(uf$X$QaeRKjF$ka#d}qSX3o1KBk4S6;*u6mYEq;flK_Fk1Y zaNnv~y!~7h#FWObV)pBm^lpjTW;#UZ7Vss!&e6`y|aI;D1 zj(-=YRlj<1^nIORsMgY;BHUEiYpRKdYf~kGVa-$hyf1mSZM1dfU#*HC&cv2YAM;@{5Snzqbu559%pD}}aZ-Z0+ zhJ9mxuV5yziL~&N+0u1ru85C!gkr8@uhZ#jmO{JKyQo4vO~`l8`NZVD)*U_-&n=c_ zEBX{!Q-gM2@UrM7pVH+n&18FYQ6+7N{2af-%;=s2N&^{(Pp(}V;cx4mQX`ttujm-HR441CGLPfY!@GC{71uc z>hy5dyyQvtvmyMq*wga&ec!Xqwg|2_9qnQj(yIaF2FT2$s)dzV$YKr@; zW|hxQqUsz(+1EYc_=Y7=C{}0>{?*#~p|+^0vJ?QmsV_xQj2rDhvnp`Wy!z^9HFyDh z*B6=`|3Ojz*v^yBp7bg13YpJYvLa=>=mv>iQSjR7_XfUHc^;T=yLz`uYF2^dY`no~ zk9DHz*0Gz+!%uH?tu6y%ADPA{+6S#yq~tYS053-CMaam>OH0dx+FXrcp~=t0S9Gss zOCyO|VxQ?JYeG~6qG(~=hs#-zbqx}iOC612&2-lK4Hx3=S(Iq98f!z(h}x;iJ!)xM z$c?G#n8F325?;H_v90hSvP5@Il3(c&HdTM#val*{R zz+!R}Gzy7`$Loi>`wJX=h4U+PTlx@GA&{Ac-NDh~&{J;+%qFjwK&Iw!w*ZpRrB1Fr z75mu_+dV{I=wdS}bCtPJeqcpW$ROZAXCiG*w%wP{&y6SaPK3Nueq9M0glann$Pl*J z=iE$|^xxjN@uHn&_m!2c`l0BYtQN=2=;jn!<>PQMV|94J`6a~S@nnQ~X$l2Z{R+b= zu5r?5T>-|N@#;X*eoiP+KY-~xu_B?(!so$ZzMGpMBZYfI$AC7{(^god-pFf{IbIO3_yk;pz3qCPU}8ZDvn zU$HcrU70Sg)1o6d4No*PrS6fSF>|5Wwb>F2$P&_}Yw;GmSvZhm-fjG%ch{oftoy@G zQMkncR*)pO0&z%ekZwQX4i;+2Bq%Z}I0DNtxA=b2SeryQ{Dg(@ANNFC2wU&3M6L5# z`-eTJ9rgd2;!4Yzb8eJoC3svzdBrq#rpo!^sOIuOhkUFmj@7BsF(BXqqF*EMqII@f zMPRfl$em=AFiB8O-j6O8Z@jaTs_xp{`Fk{beE@qwN%NIRQmnTy+lBwUugSRE&80)| zGGjZd_D;=tONFp2%f%R(0!x2m#!pva^|l^4o5xYet-Idszyfq0^Kq}&LHOwXjNbZG zBS^JZEMTSSelg7_fS+7BPJzg2)XQfEvvR@#ebZaJ)!W+l5NXn1Y4bMIE(YSB5`XKB zw*N>f8lbDBo6d62L$eIopg@Enk|1YoN0Osrm!|Pm=H$&BIrL=fS6mT3IznehQ5UAV zt70t{**$yzOtvH`22_N#q|sy;fj~w~UGDm*{*Bj*c&HvDM^@cb02HSRv%G`n4W(F? zqpUtFmAg1RmHK6`0hYoyC0|iBqIbHB^g7V7reLM)A z+y*<+f9>CPy8!^z7_Z>^XMq11cxQ9{nO7t3M?yj@OT05#=W$5=p+4V&_OvTrb=*`! z0!Fyp2QyxP@e2a6swlr(_j*2$;%P_-_fb^lEVEXtWL#s-tO`B>xu5s^+HL@1{Zm?{ zE+gmJtaPsZwmg*MBc;t*i(g0$MMB~rX;eZ{8ji^d-&R}Y1`@ctYZM{?bpV!#Ulemu z*rmb5p*DM54ZlJO1#ainv4`ZzlLrH7ujqUgvUGZQ8ZN7-e!=mHYpX=UW?GTD>VR?# zXPxHRKhIeG=B+#pyCrjqbLk%Co4gVEWCd*+p6v0xOTGC+LGVyR+YDGk_%bv-&na6^ zUbwSx-F2z)7G=2gG}PAA)HGDReN6=AX*xHOF;+3I-*Pb~YQdgmI-n8xw>B^u_5Rgg zZSuWvczPC813vo9 z;8{(%Ix%mvQ}{c}|8fU{K>e?d^~eH0&6OtH5);QU73qyQ0WqllqIVnXrn+Am14;i4 zeGi;P^-z0)*#B>@2IBTV-v4(F5t*mA{x?FS|I1hZMHn&ah&ujbszlxs3M^-jnxRa5R7!ud`Ym(v9hE}ziyUIJ z0aJ2-H~e(7xz5IXG_n%yZ=S5htlMTMV@Uxts$mkuI-$c)oA7 z@+S_CjnlKUCU8iI1PbCSA;D_UdcBoe_GvzT{?Azow?jGSCV~LRQ}vRePnSH=`iGt# z6cm(~c~%PZeJTpb-+4CAgvDt3HsMaIvP&lOl7x-7J2utmPR4^u^9jyO&1I}*XrT6%OBwm2?-fUnEa_x z{|ET%^sB>bbo8?`bWDuG3tcF~nT)7tP<;Gk2s)v!udke(T)up2&-PiYGr}K-IaR7X zIpYvcDVRh;Ot7k8W@%XnkuMl`-QcK1S5H}YI7NRA>Z?|l)qmg;7GCY^>l+?E97<+? zcz8fK%P9TMaWX~&CezIkZb}iLq+}>mBfIpVS3WXodRyayHbAe?J8v!DcI-WJ^q|9i zQeHIk+kY-1Qc{oIiOr4vcw|&84mLJoe)rO%B6<~s^RP7t0|TS042b<0dknwp2=+CT zioW?Z_lnP%WFmwiiguN#vUEx3j&ivqBO}AX_UV!XF1L6HyY7q~uXW1H$w@|&&6jGk z=OX-Zp2)-`B=y$xzUNvqrSyttC(cuJ2tp!V^s6DNT3TJ)c0KEC&D<(VN|~)1d2+n| z{{HO`H~T-?Ogsfv9v`lR{~^N8X=mMGl0rm8M1YT9?C?P|!-e#`zv_KdgF5O^tHo#t z0dw(10~`(?uu@{sCH6KEiC__a>)f+=e`SxwC%l63bWC6Fs%2Hn+ z$ml0RR2agjO{5Tq7r5nB@m3}Sw8h1dFXroUe7P+;Z=;KYI{;MTIeQOA2*ois-vZ%K zr3-j{GVS{z9si+BtEyveu2C^VXyCRdmBXszBgQ2{=n#WKN=o?lEeQz;XMXgrmmilJ zhsFwmgP)tMTTA^4cz|2<{djM0Z$C0Jve@9Ted5V(F|yPi5TL9aEAs9mJG;$7Ej@)h z!Xxcq+vSy^|DRnWs|MJ{V4Z90SiObsRgXoOZST4^z`)F7m}A})?mM!FPD6J z2R}Pm?_F&VSRET1>*+CHh4>*xTt1bn`vD=q4%O`w5B4(&7N(}Ag~pi^BC~}-7rIkS z$|OWY*KoLehS2iza+?Qig@S?t(J;bSFOH6mG|Tn89`1OLh)|J`Eaf~RRgv%WPxeB1 z#5*?!!B?==$25->tMP0JWo1P2Jrs-lXp zne^PPzAVf!mE&nr75itM`S)uGrUaFb4B0@yC@3ksN%xL9i5nHHDU* zXhI32sBll8x!3%5DYg3yF?R=}t6zNg28!7)By+MOdwcpcdtqZ}d2Iy+(_Ojm3}ikN zO1GyFM3r0i)OI*|O#32EPBWeou zCE)noJJ~;7(+m2mKhDdko4zzu(z1mL_x9oQIzM1DHu@}}o1a!Zp!MfS)2U|RlIF5c z%>%*zEaBW~Yi^CBPgWLc)1*AETQe@n5!Pj~EV{3e#=aw0L;?J5euENfp*-)xg&Qqj znl(uTcyQ>$8CjT5XNfcBGZx|PNx%dj7x+)&_9BA;8LZX2lVMe?;FM7V@XJ9t7k=Br zuAh^zPt)m=O^_>p3^HQ8QCu{#glC&e7V+B@vfCig8v5rHcYfQmUd_?b6@t_876AaD zJ1Q|A89N^jhw5#LlkLJ`<#I-7TJ!y65en?I*t4#+RQ2pD!9BflH>;P1^Yu#JS^*0a z_VSJJ{y>uIZ9Td`*@FA8^ObJH?G-uC*6mvnsq`fG1e;Vch!+FnwTWh+8z-3dq2>1@ z%@SjJ^q@4B?k$_mW$$HHH=$q&lZix$l2?se4Jo1KR?BakVr`c=AHsl}4fBre_Jh}! zs%@MTX0p$ayq!c==hou~SCu#Ko3UeD3>`n4D|Okx_FcfVTldyf5sJs@ z?BSEwfb6AX{oaZ2E|?!F0j2-t>9ox(wtdP}|1_)}tChi!nfC1W_V>snd%u$$bu2y9AV&*yXq1vY??~nzaT6M()FLpkCcehxhrII*6;KRZOBdFo4E*ti@Qa9D}? zlDJvr*zq#{#zW(Q(jz|ppuhX8|=5ONLrkvFMxT)vjIS`y7G2Y?KKCWxQAr7I`8RV=6RIG=A3?jhgy{i3QlaF%=v3l zHASkzWe)s1BNm+4yOr)rp9KT6aL~ew!zDRJ?xW_P>2CacJBNiiw_I%XeqaZEwpz@J zV$Hgd@}--IQXtT(YinbsJl$L@Ht@3yQ^`B%ZtG2*0Y%z?*5fMEz@8IRi6yno3&b`s zlQHOr6fhya8`AM|dU7M-TyDxV<@Li@BX2eH_st}BTE;MhP!(^wMeA8%$pWe092eI-)kr?5WfGxT?Ze1X ztT~IQF$${(%Hf#J75y9#_lw_A^(;4sWKNkIv$%j)qs6MW+TE>Yq8iC;)USyNCssQZ z%kP1(*7hvcke~%e`E;6;SG`@w+dVCzhTrYDSn?4B?FnMH0#dskF6F1tZjx!#WNe;< z2(!2VH~!|E@ZacAEDvZQ5AZ|Z<~7GVJD;ClP??o@++30F?M=^Uz$IZVcIQ%*gfL)^0+V$u6C?4pnvYQT-Cd+-5T&`Qt~+PA2-qo0JcZ z>TtEU5+jFHjL2dB`F#7^D|$lCUw#j)Iuuf*obtf8OaQpAB!Y_#m-Abw`?t2JGZsIY9EqagtY40!k{4?Wvz(pcD{h9Gm+KLD$=%>Qhd)LE( ziP_T~r5+Nt8jTgSi^-J9{umdRPwTAqDSTco)&47FdK=)NjC+5$fr7olOj(Yhf&qSa zl3GRi%qt`kM#N@nv+?I}jq$+!%=+2)mgm-=(nDv>F5|9pz6QvGC1J_@wlSw*Unx{4 z4NMs6Y@Vo}ys9W_SD4Mr5|+++0rgD@vA-c3hB#R-4i4IA*S7c7M=FVhX&>HGA5=|L z3ccZ1-2mg7TxUR!(*~-bXKthBe2I=Zw{>^QPNqbF3`bHt=<}4%Nj~jc!3s>~PM_qVUr2LxH}cM5W12r4q$auUxCl7yN;wq{js=ofOz(c_XzeA8PWLglwq`mIZ*TC3Xmn52P$+H|C)wb-D{ z)ExqgK*7N2YmNpzzl_0k1 zJNas77%;Y+H2Q{3Y;i<w~3;Y%bDDwB@&p@<{#t)i#tg4<{Eh?DYxJ@W7V4sLoCBF;7cf2{Za zx>Nru{SPnwuXE*pfk10kq;l{}`ZMdk3~dE*Nmra{H=77l&FDw>1MB=?kSZPM^WTr> zIcUgaC~j3c9t{{|?nC_4zS3YxRo#C=xvl$}8*fWWkok6ZIrNlmcs04p?$Qn)M8^oJ zO1<_BSFrA_*D%78Q-xgrW+6_gD;chd;j6tn8_G`9Y++h#^;M&_8D^sL=KlMAINrIQ zg)i+Z0I_F4%yhB~^{ado~pm|%76X=e9uVYFiQnr$wD3~pV#Q9f#8x5)=?xy76Ia1<)$1g}X~xaV47NREP@S_r233bkj^!Kb4V9~6WP2_ExLL(~SOvGj>K zelJcA=WGX}8B#R$CXEA-KxJ{d7>@0G)YXqa<1$&&YuIM%Lu6Q?v(^A1;+KaKTo50dgWhzp~iUL^Zd zYc`l6HdB6`A;m9yt$zp0&uIGVLui-nE}>V8uYLi$x0inu1*J}sh5B=__9qUvhk$Zp5_==7Y=6FIx~;^#hu{Z-$K2}Z>pLb)NS5- zTyDF1zmi6zWKfoUT26}fJ_7(yTrR~n8M~Xd$K5aK9BWgfVFWSKo|Uww<)kqnx^3g* zpG^hYx~s|=*L=s$_J(@wPRg=?YL)Gn#nc|Tm9!5#OOIbA(q2Stl(duU3i6$9rxuKGGTLVaFC-0ctJf(452iQq$|Lv!K6)gVq$XnxB0v%lk4RU|(b8f{ zdHH<&biJyBa07HzXs*H1rF#GL>tdJ=9*(kwL;J(Zpp=|Jm5F1FS(+y=x8ibwhhd%9 zxX*Jy_DI^@O~8--h#}BWZEceKdGPeDu0(>56TG0;s;_>`ENut`Dm)~V^KI`xNjn?{ z^^GS*4MC$0mP625aFe-at1xlK581hSuvZoO!K_R9BQRW?JpH!VZrDWcSItc^f^Fmx zC()hLk%6_LM|2`6xq$J}%0)Zs-KUq* zwzbm&r#nD_%Izl}l>Gkl7*&RIcQC!+BxUTM}%9U zEEwrwWiVLO*|PIZ%rBgrhPRQDxuHkFE+pIdP(3ghA#LLfOgVFTF)!dMwYH&NVu8Xl z$y69(DpUIEv*T^o6dWAfu@>condJax-v_f+NZ-r#J|8^;InA;?y~8*E8;!6x0>b8c zn?x&G&BHI9r`pT$9UNua2t&-8Wo;WzZQ_~vgQ^2EiP`qCH?l7=X5f>Uf9cncdZ}f3 zga#5N=)CEaA95`&3cNEPEWaj;(HEKj z-0{3^?ApgP26B|RnihZWbH@vbM$%&D4CmdUR~Y-W*2v}A=C%)BnyNhW;5+)F@*{z`))prkLBt3wYTPF<)1#)8gw=Hiz9j$VE zov3C$9(52L(CDG4^W*0j+PEEmrRqw4aHN~H^sO^s7cf|=4a3%;sjkDW$ka_~p)?AhZycpnJ_LuT!tw*G=4T%uVi_e#K65knyImN3f=j$Erhmf? zTke%huU7oPY`8pj412~lK~j(Mr-O0fN1ed3-A$Kr%$2z3sb*jovkA>l$%dGkQVz2nA+@r>lh8Nms^|&*@eeWk88f_-$Zvaa z>V4CHeaJ?<6@K>3-A8Y>koj{pNTVB#PTF%1XLkqjt^U?ak`liDO%5udwVKwRUTV3s zorgIet1*lEjx~$f9OU^8ymJpad^S4*^*EX@7DHTB^;PHI>CI`b1g+zTvQlV4Lxi1X z`mR}OQ$2}4uK*LT`2k< z3M1B;&wo#heb}4CC&7Gz|7e%&GLU|)K+X479$bL3%i@&~A7bl*`QFjsM(ODqOcM!H zkw=cWMkQtByC)k2=QT%+4)wQHoOa?k=%Uy@6IP`n92eZ9JM*)|eV~g$xy>!~SY(@6 zssSHx2Ei_)e6Zoe-4N0a@faw~Q+(oG>NfhmJ3yf7397yF$0xoKJyO!E%i9ypNIx(R zV`EN={M?83&=`pw1|I7;&Z1p@?tmZ8OHqX>ZBgk6D8<-#GWZoI_1~vA0I{EraldQVS!* z)xo&GM+jfrr$uO{C9Sf#4w5Zf?HBxljQ zF$>L2p@tpbJ{+3_nzzIEGYU#E6CH$N_hK%Ql968Yx^&Y!kmz>(9P+7{mh};Sc%z?k z0Tg9D7Yi)UIc%W(%*RF#U75*X(^8)o*2Zv*35$6K1C8v}c;S#TMwWKt zn0(4{hmCW*HZYaeKp+rU zgy9Qn9G?EQREaL=uj3<;+^fjk^+jj#5dbY7z>gX7OD;ME&qi%0iP>6{Y&!#sq=wdg zRNB`Hl|kMg50C8ez%aVxzJ-kf;H64ed}1+zgs7wTp-@Q2S)CNfZO<8*pfOrxoPLmm z7+Dp-y&sVj7b7S0^atl3q=at9T8IC@{|D(m@c$s)UVH@ZL8Gq=6b>>0(8^kb_@pFf z4$~a6!}xuKUMy_R)4AdC+AHmib|LDds^H2ReVRyr zzX^MCygWJa#RaMiI;PT9br#&XxcCp0-7*7!dlC?oV5xMA80_vd4`}~0c%P<7$joNz z(B?aFh9k~S6(OIx;uwrx6&aT`*|vT8R7X`@&L@=%|o z+(D1^OR!;ym%<|!mm=3-6NpKHjGbJ$f3cOPv3w4z#))2>C zPh1RWLq&O#35gR$XEbKtQQr!xyK{1;>221USJOmv);h5lT1J2RzUl-luWHyBZsCX( zF1Sl)+a$M`7u@|y<(GA-G!oJq-t zDz>Pd{<7+v-?|n4=#`YQ2*f2&kxPy)xPS?& zY%9ffdTeLX>`P*`T)7)-yb>iC2mHAVCv5GGFS$gPR>FyX*-DAH-+Fbxr5dR|BHY=n zNQB#Y-MO>3DdAmImavTNPF(zc{V``6=}|xu=FM5+XeraG?EHt*s-$05Wq)sZt|;Ns zerwW6m*Iwz=$z;in_0h@xDw)8hB^~gu6p$FZFLk*7JmvV)n@NQGx=U*;W79$(cuM^ zDsmbe{9;t_x~ZwnpefV5xXM?eNcS>ftnnf)ad45=w6R^-f%!Pz3=C+NgoH*Jn;eAK za2MlbwV*X~5x?z#p|>3^8lIqUEtJVb*3os&;!`AzJTBodVKKuSylg!FEkejlexQX{|G(cAUw}*kd4`icJ+a0fpY| zT~^(l_hc`+V$e)iJ=^~7PHH%TzeLy~e!4Tn>b2zxDBNWirx>26St2Ld-sj;{4Lvvw znt^t*JdAp=Hihsks8KIbR^wOgZNA@|syA6@&{`L?1W-w0J}Y79JU%J~Z!xgh%^jbcI(BNSxuGcezxQa%sQF!VAi5GUflKDmToaPgRExd zUjh^ozT=ZyH6&A_;1(#%l^v38dUdoOxeO+=oqxtrw%lQ|l2(IVX>ainwtgVH#m%T8 z^O(kN8OF(3R_o{Jyk-Oq3_2|A?qcKH;6GiaELHCgZiPTniS9q`7M0+>FQmCjbUeF4 ztbjUCuxRN&^8fB%WXu>aY`Poi3loaN9NeP3#bn9Eg@8|+G(qTvRw)Wzg* z=K>}dBOEC-vArWL@F052Ep5HWv=Um}L}hN8tb4Pf#w0&1Tb))L&3D-zR=pUG zH>R`k!GGSHWkvySc`I`;TIX@@$23T=Ulo%MJINMi8^l!aA!=1dj2xI6p7yQ>ZwA#! z4YyVuFJxb=)9G>7NR8Mz6?uNV_{)G^oL%;DRacPds(G&wGrzqsp748o#Wd&ll>ET z;7QXS;7>{MJnR=!+!T$wmG+n}Dm5+b?MFW5?3a>tbq6zwNTpBCc#YaVHj?A$8;k7# z-K>z4j1cna){6N(=Zz0awJH&=VNC~-V(ROxzWG+h|< z>{iu;lDgy2PO`3HYk_SWCBIYR!QJ78H)UA`!i_7tYlB7Q(pqmY@}5ClvS!7Wk&+)8 zg=nLN6>PAq$Bi@lhXEIR`6hU8jxL&j1I-(E-e;E%<=D6>1*2$|b3MGoUb&jp zRaW7z$q>akt3Wg0(?GAdXZsyO$37Hdg@0dX)A{jd?#lfxTaSM61`DNI*`r4**o1h5 zS7g69#g|cq!`1KU!h%V2=XP(T&tyg`P95?^MtJu9YNJ{Y#()heJAUJ z%J%rEKIxSRv1mQV#@eA)ZcF0OBIxw^u4=9S z`o6+&mep0sksGK{yTkX-%78fP+@-M%eHJs=^p-bk;vEr4_JHa4ujQSc2~^+C33xuo zt)(X#Gh7S{FB1Kc9)d78$a?Hu*}}_4*1!6@HFbP4$I$qXf81#S7$} zxx??EZ?mTX=X>6plXwC=YZ>+N*5SNxHAvZms_`3{H!3ka$2S;50|1bG_kY6S|BROI z@oO`%)}H|BFW~rt^mm~BZ*-Ncjm4&%WdgKxvm_|szXZJEIRVf+3Ci_$IKu$S-#)h| zySw}SfX@i)(ZwtrHkUa;p`N;S9-+2cS|&!gbPA9RBHRz_D`-L#w`3Y8a~TsMYi@S- zhQ+=r{6EEpeRy1k^&GnPk_o_Lpa|bR-C_2|Oy})G54cs?1FhXlZ-9$Gk|R8E|5d>M z1)!7vKd}4@F8;upe^>plVB)`o9e+IhLx!hvn{=jN9vG;t>dX~J^MLzW2H;xFN74TW D0!{Dt literal 0 HcmV?d00001 diff --git a/webgoat-lessons/password-reset/src/main/resources/images/reset2.png b/webgoat-lessons/password-reset/src/main/resources/images/reset2.png new file mode 100644 index 0000000000000000000000000000000000000000..3c94b01b57447cbd49a4cc4ba0a72953a3dd2ff8 GIT binary patch literal 20799 zcmeFZcT`l(*CyJCz^f>{NCt&h5Rfc6gG$ahwt(aek~6I!L85@mKlg_>_Sg_`!95tEltWUw^^Z)K`I9Di2u$4{aA~4{tL!E0B|! zhZU#0g`1U?v%9T}$6)f25(xAUNKxjEj!!0P+4r5!IcDIPSixq-`pTG^KiM>xBKNtQ zv6hUhVp;F-X4^74i7pOMs3oHdJS!#pKfOrAiWcJT@fgs>YicUp|6f7>$Jj)xa2qh_|CsX@ zzF;aUG#Pufl{%LH(x|f}t_CZO$)=Il#}|I0NnVP#O(8DntgqLYvtoUNAt!00sU-Nw zm>IZzT&F3*z@Rjb4&Ua5ZC5kG-k9 ziQxL!YWz~2o4m`gxJ*M=wZ>t^#q%5Y=?lvlFU^m8ugV|J@HU74ln(e-E-pP?ZV$(8 z*(f~B67=gQ$@sRn1*_QpSZy3~D}LrzWj@YBrA4ZaLNxe#XL=S?GS(v&7VKrExaG+n z2|on-Y9)DB+|}2s4H8s2&d?*<)M*wBDee*|_OFANc!+kE)IbIc?g$_}o108LB6v~) z1C@r})t56(OSYlye~|*}Z0Y3xw2>U`QbA7A$6`L7PF~}|eJBXYLYQt(Jo2u`NFcA) z=v~xfJ}UhUc%hbM{;m*84(d5h^P6xN&#K?SU0jy7E#c=bVbPDYIbryv5C1g!0c2cJ zM`*OrShO;r`n!D7Ma61hIkfcQQoKrkbnn&GOf*NqBuAuPiTCL-;o0RZVx3G-TW+eg z$A!SpT8krLjX+xnY0wRZB}DnRM(zrR}-1 ziR7m$BVRptuJ1gIf|8N~j3e(WKlRx17Bly=kT)=EX=LO;bK>qEulNx*=M*6R67a=m zf3LvVh8>;`uetx@Ut$@m?6Ndf8#TMTjLuF)g|a&ndp)FodhPfb5;{3_HCC8?m`z4P z5|`)Dta?UC!qdP1uFJd!hBs#Kk4`y#;1m&M)acifov81owBN2^WnZQJg&m*B6w>%xz1}NkzoDWu)Pyjui&RVTL0^(*gbHhTQ}vBU z&q`r}F{RVA^PRlBX8wSvIxSspefGmVxp99(%f5I5>M8Tjlq>W1~q&OrFjh&L$zg zQM1a78cNYEirZX~s!!Z7m$B6^JQ~m!M+mvCUAU!lE}}xV31r6?Ohii}BShG_?04sJ zAQ_F#k)*r!71{#BRM@`HZ+c3qIT%YK6~>dKkv2s1Hz$kka{h~=?FXB07;T){vfO&z zsKR5@8--@O#%W?Fu<%@0!Vxh)^Km874o|P&xo=$dqdD8#_L}~luV~*i$tet!pJJ~* zIl{F3oO6#o6f<;%nO|l#aL_F_fYa(myInq~ON1m1&+~2U?4Q;KN z`C+L@?O)t+yS28S!D^&VPu!WG>Q-G`Y@H_Cd%GdTXY%SdhhP5BxErHGov~q29+&>J z{jy}O20F=XXVE^#(U$adD{Vi$(Gz{s!Bp(f%-4ruC(#4j&{w|ON#^15lYV}FJB>}@ z$HPEVgReMfj1;Z<>*+fj;puZF7A1njH~xDs2ELlLq(7l|=W5J->%P|&YO!H%U731b zYV)`;*Y~A(uamz{a)iQE{6<(eg!QtQis&Gw`G8@&7qd}Zy*%>FT}9O6=LzrW&XsMM z!Pbt@+p+9!rArFvMU~x%x=}U80p4*V8dbhtEv&wcx`o9cNfXYkX3p_L8Q9h3I z(q50Wt9NoMpR4iy9o3Wb*KyqfL=LrU=CX2{Bn z4oLZ!`Kr9pHsecg!q`*9efH&(UL;$0l)2JEAmJG} zlrXze&T+e!w-%wQMLs0bdilA`-`5?arADXDd0Sx9Y{HaS9s+orKzw#f;pVlNX1(ls zHLckuU(f5G&?~)miB&aVhi7lNchGmbQNin^YBviRCB-yNC>W#Xev&4~+4R*M1~Vm! zC8^-i)HK}{SMMy?ET8F1av5+fWj0{;nV!?KzvC2VXEl*oT9o7q?5}@rvgwrC;yJfP z&q?1Jsop!9+9Rn1A3Wn@r%6q)-@4z z#T*mW(^8qw*1+qj4&os<(Z;_9+^E=}Ziuy8G&9Xe2%8UO#$&89rDAL{peolplNd2X z>UTMzwMO}Kfra2=)d{b~Wq)^>-lxq%{qrUIX&Xax71&5Uhw&lSOx#~p4r$!YXQb$a zhuEFTD*gAz1kdi|N_Y7TBzum@r&kQH+{iAnoE5(0j*FL<+H2J^fApz0DkNr6einV! zRNz!lzLrtsP!*y@*Gb8dvsAXkKH8Q`La4vh@yajo&G(MByE_3~!I-L-4XngOsZd*c zSxSW%0+@@!cayt=tHtmlcYBh+c9N($pX96lLEahX68mrKLOVU1H4W_8@~-OHRpM=% zNA%5&|6FWlzN;7HGB+QRjZm?HRn-v@uzlJXQ4oCz1rOA@tT!P!G zOBD6q}o6es;9E2;(m3t&9MsfkBeRF zi_817gazS`z}2THwV63Z4EfU+%MoYZEFPRfuW>z}HS6NArJVKMBqmSD$Kkki>R|@l zabmDh^$b;)`Gp52{`tY}V&9rbxAd-#In2es-_@Rq;6xVxQv_t?6mas@N@bR_P+y~N z;3+ViF?6LjQckSE;%?8VTO{= z>ti9>Y=Y#jr^J;XVxE&sw)x@0>-EvkCQKRhYiot)Y!n5}uMvaPe)kG(n zciz-I-d)fuI3%MhC3Ak)FA54HoeRCU)D|wKgW?H?lGtM&B|i@w$Ye@p#g9}!yo3dw zO*uhh{??#n27wwY$IkB98OmE_IuveNsgML76-Tecq#8Y*cfwiaiPB_c+}72Yl@v6r z)LGT-J3IrKok~oc>@7bGtYwvxXPd1BDQ`T)$E)dQp?NV_Y(ed+nEZ*i$f+iFHb`Rr zSHm9Z7KLu@_uW~SVj^XffVi8&p;{Hn^b=+d{P$$z1DA@YqK*{tneONfmFN4B60JLX z5MWdU7}CG4RDDZzx0=9tMc2F%v^mGqaTTaR1R0z8NzK7&H{F){lQDN+*mH<>dH-hY z@6rtbW9e`T>_%?J(N*2sr!$?r3N_#kG`ZuM&EAw8u~y=4IQft{G2JvXv4B(pG(-82qGOCkB;?Av9s)1tR{-3gwv zOD7(QafwOt0-YhtWj`h4*VZ1yCqhm}1~JK7ZDddM@%Z<1Wi@xg-G%Zihq1Mqv_;_% zChB!kPO)PY-(nX#)$3(>9lV)Q+gD`EA5h@XI4&V>b)=(aNSW-{gaaeOZ+NrdHfe=r`&YI@Y0Q7d zdWE`SZEMXU4W91CwPJ=C!!LaVOgBDRn>!8u4EOS*Hx9h%QIbZUvsg>rNXgwX5na~Y ze8FeSWsBy5@ZWwhPV-v5#UoqkL<=+%U!iJ-4W5Sw%MO&|K2{nz)x_6i(2RkA^WP_~ z1^td}mtZ-UD!i;sK*kD|ON09I^F8Pkb4S$}xqF~Ni)on%s5n(3IW)K7xrFjE|K<@) zWk0+7ZMq=t4cYj>V5E`o;pZE!r=Zv$PP!k{cL7wS&@JyHrxX^^>HhmWFK;D%NgKGu zq-+|=iQH3`GY7C+i|T+^c@vdZ)im|;Szms(T1~yz!dJ7>_#T6FxkLJs&yYb-dI#s(uv^n0-LKuB z4gnL!w6BZsAI#wK&-UbpEAu0USP{FyxC%}Jia zi%Bg$?ed1virXAW?Z|-;$>yUvdp?^3`=!?CNWsPoz$(SGHWDJYv~S3A)OUAnvikit z9cB5X93uZn+#4aJcQAi*JTI6$A8?KwlSi$1>l*zEHyqGSyvS0atZTig@nG|WcIYeA z1c!E3x`WIwjgp_tHa*~GR}s4vaL*XeWj-pJMFh3`%_*;4AjI%zTxE1$&z?CgUKwDX zUXEcr(Aievb#S-vNL#p9M-sQ!iM?*as^z;G%r~&@@bDj}#43L=Uzne}{-$SI>Q}=;IX~VDxp-hpnFMzI>kK zjeE0WZJC-=VVnN@RKIxppGH=E5X=EohG*>_D{Y;R(Y2*yZ8^?+}st}u#d?0yDM+Y z8bTX7cS-Ny-JRj3T8dY-K()b446y}FWxnD(W?v6EDOYE)NjS2|-hom2OCu2^McNc` zpt$wU2y&er>r)-0M$S~4S-~pcecB-631g3U!SdBDSz1QJU-=GmA^A<5V3QEe4W;_x zY4;wmp}uy6>CN!B(i1)?kLy6gq_$U4@?}dzMB!oTb$@$JOpvSeb$E4dU5~@1QIO}6 zg9TcE2ym*8C)7G0Zi7-Snw%q9pK1p-IEYM6(>S@uRxWC`bU>$yZ4CddYu9`RTcj4= z98}n)Q;Xt&fZBD$gHP@Ffb){dfp(o5MOeLNVX;Hb=S@s3x-t|Qc<~lz!bJ{S%_f4L zTHNKkL2ax%?P2;w`f{Yg&X`wH4o^lS4JDm55R?dT)5g(pOJQ$s;kTg1#@1uWbm1L)kH0HR?j3GLEjK2$MJMQ9kh#L<~&MnrSCOn)KGBQlARkN zNL2&R5)xgR7)y3Fa=w0S2dwad(V~fr1 zyi*&!qrlWI>FutJv!5B7p;1z4+Ho8?ewMBI=VxcX9QrH=l{ok6nr7!^8MRnC>2${} z@h1cW7hC$smxNrp+-&bMrID0v*Le8X0_QXS0GJN9b&V4G*xTbX74 z&2RyBS`BtN-A`g6{g9(6PeS>Ix;tlW_wiYF#bd0J5+~-kl7Ihn%f_L2=BPZnt*NHc zP{77E<6+mk*{c1oBD8v)Q))Jc;SOV7N~F92mXq@}srA(_n2d)8N#fc4y?S-9=H=jw zlw`=6y*$#^M9+RI&Q(z=d9=*=*#IZj)*K!Qlb-U1AQOpmd`su^E4DJDXXrQ9Au8W5 z4D4tyTP*Z(e^r)p#vn{3uTUFxX4y>=YLOyjjSkZ{Nh4AwtKx4_V*d^sUre$jJ0o9hM+eh`t}%3Cyr2KIhqTyiIykU^wY}b%WRBv}rio zV}5I`HQ}uu84)q?s}b(VLQKWCzOkO5^+@DTo9({W_nYiD4abT$W2oznkIPsM@#_sW z8~hMI^qg)x%Kab4P%D1P z%hsrj9K^E}Z5+_v8y&p&1lm(luxCv!Ra4QO>|S6B>e(hjNa;o7JJ9y>iO-lvR#fk#>Po=H3JCG32v-94>TByW5Sk=CMJszdP+14IO&y zil%@HJEE+SKfgM!k;)Oo>i}YWtO0>EsIyGj>7Cwb#TvlGVSZQF*VkyD9nZ+rF_AF# zFRsU~`c5!v-P`Omu|}}KVKf0K7o-qlX)Zs^F_@M0*R zGqkdvzP-JTEMOZV2Wf04#TGU}KDfDkU;g-G&p>9jZAkFTV%W?R2xpzEuaCn$(1Au0 z(U18p9eAk`Lsg_gP>`hE`2}P7+?%3sO(zjCu?&}$4m%7ZH@B1!cbu6H=*RNt&`?=+ zJ#d{$M2<*sakaL#s`V{6D;jm)MU;E0?q;Ujj1^qF-GvSH^%a?g+?-O04EGg?GopNaeB3-yTd|@!O}pt>NFMf)Mw_9; zNV+_65K9eln6C}82rLM0ehTonoI*mE>1!#pFx6^NCuft%zbXKUJpDetayb_S)WBLq zpnZCB;&yrhd}SGCfXIClC{Otp=*P3wOGFKJ+bH>BCG7gzcP`WD2$H|&B&Sm)rlg`a zHuC3c_vM=yQcUOfvUmkBROrpEt-I~?yzKhK2x0KN+Iyy|6}sLO(LTYFt?g~Z=ol%> zamz#&VA`*fW-7K(o0GyqLh6~Bj#6N!lwaLWuY=1Nl>!KKgMxy(gww_#KKzqnwSes& z*wS6LnnHtmTC<}BN{r|kYFFrh0V=o}E>n}Uh?OUmNMQkNL(s-%8%=|BcMD3?LQ09Y zHMHYtHgdg`C``}DsOW6YlPeJZ)7sug{KtC^-~2PPvXsMh?jfCC>r`o19_Axz5Wm{* zh9);80b0t`q17-wJK>+`)?caP^lg=busElV9~?3UB;*is|P&*kqh|DFr*t>uL)pAZb7 zuRyQITwPs<#>O~1f5+k~w<-UvizHg%173e(!&1_*&Uf$>Jh2>7Y6Lsl!U5$b|E=XB z^&k5I&xfS8fcBgM7FX2%yR<&)C&w&2?!R#^o-v69gg`bxwVRvUy8DG7q|E$WlNwU zXSkC}d!y4{t&!-7CrBRu$MTobhY<=V7|sE{v9M_|Xgg{L$SV1m6a{EpNpn&4-K+9Y zt@V-{ii5`H5o?kO$ySJLFsxp^sj@Q*sK>@o{x*=`gp=;U|dPmmlI84f93nPS$j4cfo1{yM^JP|7i7C^@kM-)eM`lk*_9qb7SI_+h<#nyHu# z4p#RvIx8QFmynh=YC_Toe%M<)?SHbb<3%-c@D^_@`P_*2fNHwQN&}9`VNP)@QR22B zAsJG`jJuuPoY6x)OpU(yvG2x9*gOQyglOsl)bMr+(X-UlcT`B;ahI%%ghGNGjHQiI zciiaEfFxvB6&uK&W6!~`U}H_>Z&$yWclJ3XY9RZ|!(Y0P%L{%3^9(}&tr*Gn_C~Eu zr-wKGyY=xQin>R3d6X?l7m;algJwfPtY{yFQ1$ zRX|pTtaD}7QKhTa<{ast&vnaaujHW06qlS#Cm`as*i4;Fm6e$N;lnbRpr9+K)oxdN zg?!c!fBL$J(HlITweVs0$9Cd)uL=0{GMQ&Kp{I1LMG-#$tik-PtrA)({E;I0~%(&_5v z=o9zW*{`UG>$C1tW)hyeqhol6_9(+mxIFjGI$Q$Xb&Jki!%2HUJzF)AjUVMye+QQc zhu#h3Ph#vS%iCg#pbu=gk?m5Kf@s@5`cwn;*&d>ZjNtJ)7Bej( zcVM|NLZ=Wm`&P84M5Ip0JsYWXlVE+YkVObLMEiMrlkjB6h#FCSVwZ~E^vcV(-q%k` zsXHHhks2AhVruk~p}*eU2I5;4`ESbnTh~=yYf;^_{r!6am&^XKw>h*=UohlD+$Pgu z48ff=?F45KV2jUSE=Z%w@TA?>J1oNIaeDjSEFI*+>(Y6y3;RtMLcb4Q&Vo9{aRLiE0nd(vms96F)MrtN6oc;a>k85#Z+<9_b+ zzY7)mV;@ff14I*JO)}ZqP8oaN*0jU3Ti-YxETFYpz{FIEKC3kB?L6#&s{2+JHIL7V z<-#gPC?21X@#J97+~KCrBVmSuMW>ajgkhnLA6!re=i5Q`7>pi^Y;V9?MWCReuANli z^ps{O{85mT4Dx4r#k)9Fv1i%7zA_&pQu!X^#lvEI3`{85?3*5zpYS%(b?yqvAI3nT zvx+R{lBW};4dv&9*?f2)`ycl~rEycv>){1T(Py^&*-cWDKJ8%cFKv5dvb~kl?ck7P zIsI>~Q%|_4WqRxN5f@EwMwh|d30hevD7#;6W2@%yoen4F2lMqYjnZTH(!oMXV(y}{ zGB2FA{Ykyyj+Xq95yx66tKG?|cH;@qX29F^y*JDGM$O1yqWq}%UtGlCw~Bpn$*9A$ z(_MyjYMz%f*0`$S-Eji&n>b5p)V1aAugXf%kvvz}!a?aVqk3qkdjM2qE#P~^=6dJ; zHTk5#94mvhw!j|iTx@%LyTV&dC>vlco_WF675NXjEszsS%TdodS8&BT{=9e%yr`2W zf04-w(!kAUn~~p`%~u|)0=?%?m62KMw70Kf_or!a*6#jn;NQf${bhlHK_rC;)v7aB zAV(5!9nVfVf(or5Dl9Y=?mGQ>oJC8)+7&ncPP78Tr)m|K+}f^n=XvQysYqdA9qMhN zJFa_JP0AB7Y5Sy(QDRm{!t0sb>@?X^iTX*~az=@JAJ-$wOOYOaF%b&ZeyV{Q@abI7 zjM4n~pL>ql_ZWbXaVh zy(dwOkW4bXF6i@yb-nl21Q$55?Ys-(%mT_+q65Z_)72ApoM zCT;EWd2gzUy!Utn+I4HoqoXu8Mym<(E|*Q(a|QYi68As^f0kO6-IT64NwETnMsF(XWD67L?ZmP2u z17?*J`iH?{mslQe@1KpR(S}n3iWuJ@*GA_0WNXQbl|iBAXRY7TveGa;e)C$Bj3;A^f#K$G+$KD%HIh~2M$3A)63MZoiw)CvdEV>IO!Hq z*;p^l$vBUF=5Z=p?2Cx>@{*|@1Bo#)sk!x#UgfQCSv6Qso9;Ld3}?rql&Ok^T+Tk& zNQ3|QY5Nx0-Qd>Ftk$2-QR(&>{}Axl>W4y?n~nLh7$WB+a?$SeE=Gd$6<)NJWlqCe z*1dvvHGN(;F*&5nDbF+Mi? zi~3*(Hvfj;<#WgVGHn^MD*e|bB!{;f8SBV>xZ?DBXd~@5(Jl&E9g)8SKJ)RL?6+d9 zNcM3k&sHL`5NP!ATL@S8KAvS`h+Mf`>q?w+HWthuj_-0zUp;mZ8gCHsgP=?2Co8h( za6WDb|JQ8P7N%Q_oDp`5#>A?xou##fJ zF6DNuYt>{Y*8jns04B=fcxr59++X@1#0*j^{01zlfr4fncim^fngE*lPt5`50y2(Y zCZwdK_-!Jfwuv`%^8I8Zj&qcs*RId-FCSW#(9sPUB37FJBuMM9;GpJ`#SXl6rhhMB)XdNMf3)DZ#-nsG?Chy zjmgxVwikjHDJ6`EXFFAOn4_P?#Km1?uYxA|aMBYV&pr_FcfF7(ufG?NZ>6hy{4iV3V(j*U#96c#>slBm7VgAIIOyr_lCP<2McuDz@Y= zGmni@+bvCRoDWj-%=X^~w-fv9PV-SV%iv2jX_y35Z62trrK!lTpcYT+LZ!&|`#pY- zRdcpO1BZ3a3bgBcz+RA=BNlQ>!+-e9rcr|tzrL<|88gatHg6=<%@^2BR`e6^Q`0mZZj#eW2p(3fuf!}7Hi%6Z$&-mX+-?t#7u8JtpRMp7-gg|zQj}P zG@=Qw*8Skg{r#9U7#eL<(mQpa6t!3DxlZP8{|Az@t2bmHr0v` zvR?%%@EMN;BWH?#H(JPXsS)j9Q4aB(9>ooOVp7J!ZW^fkn0mj~D21D1eFhsQg6Py* zpW^0(EQ-$4=}Wm{R&;V$^1@5 zz8_oZ)+=#T6gkOhai90RWDlV)AkLZ^a*i{TPkChIjlU8RQ<7!YVpHG1isWmHrx;{` zWT|!^l?Hx)$3djJ{i8ZfBvvHQ0JSOLz=8+tD|v}ko(kGEPd0C_rugIA@^U{-74tK) zAUXanzU*N(S-Y*zf}}gRJ8QTQ)qZ=nW$cdeLyhLgoH9K0(){(-T9YtpK*f#IF)!1? zpn=>vnQ@byoWDK^i5;fe4O6#0A%!|*W8e&k8JH3X@$=BQcq)-B zUM9;&5>JT8;%!DQNUjZDQvP0>V_+DXESYM2MrT)2)-V{HMLWh>?3jN2q1y?p{&=5O z)OEGc^U#I1%{8?-Rjn$u9=?Ok6llGm6=v{-EBBaJ$#1Vmrd5!3gjE_k*qN>V>ZWB3 z=S&wt*KsNPw@@^E-IX#QTeO>_nCfb1(732;)HOsiFqqGIq?#?~o}}Y|yg31=&lO+m ztDNtTpnS;q9!C{D*!?CA0r57G@i(zZ(`Jf-nIJaMK~67!#IN9V{+dEHq+ zKdWVGq-q1h`<~w(eBb9wgsn${6B+DRHZgljmz2M%j7-p#aboC|nn2Dxq}H0rHAaxKl)Kr3 zGd%bCboa?~)}#iFIwd&wva^@fpDArFqr1e!pC6%*kgdo*=Dd!`clRbIv0K_~R3*T8 z9ebRWSxlnif&>F$EJ!(Q;B-aRh{1B=J!Q z7JsRACWaU>Zx=g^EtbauOM%!|C#IQ{WjV+r;oNeROcozvcg5nlkFe&&?6W@sW(trG z|H1pixzhnx+7P~Rz4e&#?Y0x?J%Izxc5wl>;SNvJz|%fkgfgw<7dH1!R_{(r8krYY z@fU5MCnyh91iz&6l6sA1w_P=8j)sjo4oN~ioZs$z4PMAx$&NNXGxx4 zUEjT5zfS9Dw{~)!Ksygi_YohZe^=g&nRUi_?!B-_7eYDLmIs%8-)$Cm`I2Xoqotm9 zzE4c{-~{`yZe^nKnH`NB=2p(%o(Yh^ec&|8sGr|?gN+@8K0hlFx?Bi)Kw z(l;G0u>sx&?jxja9v1@Hn1F+WZ(DKU6r(cd2UDHCC;IL%d0JdL!qcYu!C)ne%bX^| zEVk1h`Rb%aweh(TTz(sM>Uzd(Y;)gkjdg<0U8>L$2M&@KL*^M2DnqoCkc>Q}cx_Zg z#C=)ud?9+Y9FgH^Wf65%kPednBSYOkh>1Kb~G=`u>*DOeK8ZZu-j{93_8bz_lKLYlh zReVLVHR#pc;=41G6|1JX>Ks_p>~>Bj1&U74YCrx#zk{5sC(KSpM$Sp})ls^l9m>dY z{q>0a+s?Uwpv6_Gx+p8#IzwB^nmE0jcAZQQJw zmP3%xOD+R+D6sc;kcd+QOZZtX=6*8c{DzuFI7udN*t=8ejZoT1dT(9NT7(s!2e#Qb zWU;QTZW$9Kdd6|3Yku(WD(;Dz_J>H>o$o-IiLuHP*6FCvJ7b6vhseNzH(v_OV*RXs z6j~fiI4w(-$rkOW==uI}_IjOm(})iqk4ve6pgC|Qvr#M@bjh3xl1)`y?}n)>$}O;obatd_MN-M6M=-vjZs|D2+SeaM&_vAotxAB&>6Z^w`4FoG%6yirob6nI8T6Rt; z55-PrZD=vq=U>QtYhk^ug#GwJ9FBQwAtY;Wihm~}4x?`D4~f$b@@lxL5VvRB=puhh zC@3bPWr^}eW`ZI;M?Ik3f1nvXVO+LNiTQc!yU|nG{8hm5!ocV2)^M5x`Xb;w(9x(z zkbBI(O80gf?cO7I?!UA0J$9e_xc#!kSMnSt$!W~)B6Zrkok4nVh;6QxMLyLr;``WE z6o&1F8V6kqpy^Wl0ES6TO$`s*?B-$T`R^5{539^WF^Q`EEGbE1!8?BsRb=0ee7BBL!p^vcOSXr+_!PSo4?tnk!j(~Pmbpiu7Jw-GQT0pU zkk`>D#VnSqK;fcJy%_3d?TOHorh9NSmo~)}(0nj0Vb`TTu?t?gq!wPuGT;NPUi?#j z&odIq=q}WWom^LM9$U^b<7XG;Mi2$sj8mg^l*!}NSH1u<*O_>$eB~H8cm-;yU&_O- z^6Ae$H_!*Tu>aQ{m@Mt{R`_< z&*V&>ImZB)=zvN_x3mxI=bt{h^|>%72)*z9FI?sey}Lm7DJueCbH#-2Us&o7TT5oQ zTyC|O1Tj^*9kS#VX`=wWeq2#A+0rUtzk3Re<+|_v1b}b73k$7jF4NXsvDE-yTZ;SV ztk(bT2TT72V9ndon)%tTk7Ro$!e{}dfHZmzV6ekQEh)+TwEoa|-ubA~hvd|)x8cfm zBC*x?KpN~pf=ly0{QK`tuz|-)V0l=u7(R6FHK(N55uXS-Xs;v6P9*2q)xxCiYU~@G zP$N{_hzG!ie}sR69GL;E-VDR$;$bWo4(Nl}5wRpn9;otrY0&fkUIozY|AV;!@17ci zK8j^bl}_d!p$YJ9J3YAEmL0ELF6vIHY1MBN-0Ckbjj>&u^|+$g`0G7dtf&Uszv8=G zOc)+E&Ya&-%z;0-U930BmLffB8FX>OdcHb8#+N9K52^tY65+a1O9M89$CXbwb;#7-u%)e%Rj!MK*IeA?g zv`p;$kh*RYi8_{ZeA_=<+5lLrN4-pmQU^YUY;}vFA7MetJBLzjemVh034augf|rAI zU}LmtLNdLrfs{FPG0276TR%s+W9rCr+RkIGjBAM{+=JG%ui1&L=VIO`V5x3sc#~x! z&RRDz?9RoO(S~GlhsNuGM7Vuf0*{zA`;r^N`u-R0CA?#)T~Lp}y3HO1Q2 z2fa=NwWj$lV-omr<(tx$hsKnh-(9haUAIkj1=f>uUx&8MpPq>q9Lu%wsLTA0%Sba6 znu^iQXaje*Fz6p5JRDsE$4IVO(FVPJGS|d6#KOvYH|~Ux=uTFKe1|=eVRo^bVhMF2C-m7&(-sEZ@6%FJ5^Ip1 zY|_UF#<-TY{87QJu(0Ch-Z|B;lQQPyAq5Ic*muxX|Cqfy=dKpAvB~{JyCZX`!qSnipL`o)iV;pmOdz8PwO=Aw+Sy zDubvHjBY=pOXR!i40wM#bg81=SqI@{kjnsrEc>l{t1`yu|M{b|2L z4CHe;cie^>$~c=~PeyB)NmOwuV2 z5}dcvWC}kawY#w!U{jf1A0~_4FNpHRf<4wtVV!pdx^dD)d+o%JK9F1oZuIy5>0-oE z2WC08rHrLIMIbFN*lQ^akBtH9vUI!gDHwS!6b)=6JyzQk5}9!`D4YzGpAmf62Jq>R zszG)2TVMP238g!H9OBzD`P?q~TyQ=9V|x0(E72RMmU?EAcxHh7k67Bc*!mq?lx>1g zW-%A5n6>^q8o*bx!|nXIL#8)1aLcH1n1koYT3r$P&e(U!U6Ex!_jz}SOtj&`z_?9- z*Q(S5q4Ig41Bb#2p`p4(hVA^V%?lC?{iej0I>%p_;FC#{<1wajMappmdqNHYaqsGM z^!|uB03?W&;%w2vEH-Ke`fWHo?Ovf41QY2$>^@yT08Z>h9??Uq7ZNDIyll%VUaJ!8 zN#DNFc5XQKE-m%j?}C-$=2D1mLhd$}-2T*|UBr}Lt#w4wH?`o3 z5v?Zw%P;HKx)56|_KyfE{@yz0(;q$g7`3!fNp|}i3T47RH@TdF-6nXhDtWrhjkjfU ztrxjFAq>nbglg?aRuWDg>tjwAlCS~H`L>=ta`>I=)0Q5q>XXL;lLcTcH8Y!v`jxK! zKEuMJFG^nq9uj>!P?r#Ay3oVdgYYCzs@+L>UOb7XeE@UY&k$x8fV+ac?*r$EORM`= zPVt4Z#JASQ7z1)nVAq0EJ_2n*{JjvblrV;bv~*+PLO(`#@U3e64K9Jy-}bFg6T8Zs zCB!rg6S!&lOks?4GM0Kyydgd@B0}$S<|7)eU*qPl^3FF6FYg_{6?7NBk0}Dt+8}wqah{5F6-nh&4Ru7?L>J?5i^Q6q4>!l{)w0Zt+kq z<)%xOEGE_SSl{Nwq6nMa;>|2H$1l(BBMe)ex@FaoUBdq%zLHjsM0In5v+5+_Tk)j? z`RW1Ps-z@4%SE~&ja^83O9YR*!%un!bN#rWR$%xJwi^AC!*`ALz7hwim8q36>Ao{a zx}eQCs;KL1Klnu8HGaag;xQ-iVSJRAlHO?Sk5t^9_j2slc_7~hP)MPoRpyedl`6>9 z@#tf;cM5H%gjt3D>Ob5yOw-~I)pF!ysHFL zP7||b3GJy0!^yzdC>C?G|LOB{`gfvVE$XetxeqzT#5P}V;T7z3z6Gkw@El}X;3_JMh~RefJo#HzIN#pxz}IEV5)RZ3QndQUE>`5$AG zw@XR-DaN;40|#_>37D0Xv?18(?`-i9o*JY0wns^1dP#RQ6D+DCUy~e16a6z)`%zVJ zi?D$6in5tc>2(~|{qdupD>J5k$VNkRL{6vOM>s@gG0V$Wo1IoX+C-KngE!cV17^AL zHlo$5)4Bbwq}Sl6rlyvKuQ&JRKhr!YV@?YB@k!?1@h_^7)Ym_9pMDJK4fzz}_BRpp z*V3K5><9v)m&YILW)#Ll;CK7AveFzgrf@9?0R6WoTvC1m9OP6l6{> zV9cn&=IYv&!N4|UL%@)k2=>k+ya6&l< zbe{=G_5Di;NEG|~8<4pA&&x6(lTAa59P}}_5WpjE6#ug-CcUhl?6>w0nYnfCleUdVW8M_xwC5Tje**fcFdP@n^nf$QMQrq%g)}z-+3mVK06L0 z2PIE+*9j5apd-cA>p3P)IYy=ob>sAG^!^uh{6Aln|DzTS?rr#+EO}w0pu!#Vfds_w zys_Es7b)Azg8 z{hjB1W`8gciyw^=nj)GnY%WbiFGlARYqDrutZ17nq5ENzVD8hs$CZDXpg_q=zLh)z zU8`1}ZJOD;m^;+(gBBThKxr5tVCSr-3VQDDzY%zn|r1MA}Jd`A4dbheWI&wbXvK%yoD|HP&C_%Jsu5dCc z-_e62dBQLt}c5Z!UAacZb^2I0rc)hfk40%)&D}p0mdxVS_;J#TOmCJ+<W!~AIW8bf?q#Y2h%MPYkUrZm8Mv;91B#;bW9-x$)qeo`C3Kt^}}DvJolh4c4e0sV4SoFCHRpSp6OVXyM-pt!>oqBUd zMqgjfx+=W{&Oh&Ouc|BfsU*IUsp|EE8?%}J*1FDH9y#rK<+Rk7YgW0hHhvFWij7=g z$**SW$bQ`$f2ThAsxw2#@l{kUwg}}l8kU$evO4Q-2{5-ayjpen<&E>-W}p=M5B4m{ zjQYx<-G?FytO~N$TC}q<=$TaCj>D)m)=H~iU^u`!Y1zuZIsKkjf6cgEcgf_d>`{gd zEmm{S#Vp~v2Gmn(kUv|qYtPlJa0`BhD?Y2Q>UHg@&ex8pc3ySOch<7XX{#fA3?5iEp>k{8_Wsm1!}onEdQY$wcwY=`(Lnech@Sn!Q4!tFtrh zYA}OCt&fk{=QD!;xje4UdQmq&d|K-2t3|uC7<4)}uMNAY7yY*ES6t}%tx6tOqh{W& zXlrNhm$i@lYQYe|?%qFFMoQ|$CZ8qW=7p?nZk6}&xm>d8=A2n&$Fvw~R3@KY`SRt< zO*-ObtJ2;wu8fku+pYri)Q1ljtlRsiF6CasbfEo8-t_i<8EH8wuY0@ai>|a)4$V%Q z*m_kZa__G9a}T>~1DDrN+q(U}rICq6#I(0N7ymCVUwQT3gjHLOzK7+fb)VX-<2lLs zy^QYZO|LF8Bv@u{KmF0U{qr7;(`DcHU7eH#3Q~{s{h?c}Bf6E&UwYEJozHZ3a40_q z!|B6ETs{N2U%#$BwMpglrgt85Z{H5Hee5-HUY1XYEwlHs%P&j*M^8y3IzC(X06 zHMF?#e`D$Nl$qbv88++)+gxfB()mL{W zfXcy3Cr_qrTqPm(CVp>K>BMx`zz{1PhLAOvUv9bewrsbpsj01{<<+dM?QHC){AQk! zTk*!uJ9IfHI2X2Vy#@4^ar*gf=eC{Nbh&PO5@Uj@*JYFQn{`fyt&IwO68YVArI_uD z^}*F=7De%%jaid*Z@I|s?9$LckxD!9mG7fhn|U!zTlqb6hx3(o@?b?~TSr?yPeR2ob zs?k1sC?xhvnU-Q`cHYH=zxLai4{(*N%l>`aJIrs@I*#JRSvOuWBs8{KyYD`&u;dlj zrM*{AhB3@Io@c1Aa+lLhDaM8$HHCuIY!cBZgOgPL{S^=UwP|06St)Rr1p|YptDnm{ Hr-UW|pMNKe literal 0 HcmV?d00001 diff --git a/webgoat-lessons/password-reset/src/main/resources/images/slack1.png b/webgoat-lessons/password-reset/src/main/resources/images/slack1.png new file mode 100644 index 0000000000000000000000000000000000000000..34114af252786bce5fc55117f5e103d811bc014e GIT binary patch literal 24736 zcmeFYbx>SU_bu27AtY#U3y?Gcf(LgrlxA-kEwbM)VX#0-s0>d`|Q2e+Cg9C#4%7wPyqk{hNJ{Y5dc6c2LPUpzj}_i zqv=_Gh-h9KNQ;92Pk(>@K=NV`cV62`XgC4@Xt;m>o&l0lh!8hXoFrvMQPz-&(J)>D zS*oT0fOh~%&=+O5`GX}dC(>;%n!EJ3u69WStLCT&bNI7YfNPrG!tj3RTF%*4)k3CiAf!F-E!eZci(ufEHg{99kct9v}7AZ(D6xSOI#1Zd-|7 zRaI3l5ZwiwC|nXr{k;IZ>inP0|JOtC<1_l-LH^%1Ckp4>h$%Q3i#5BISsIn;Mw0n+ z-Zb;@5gqXE4N_~?`zbAr)5hjyRdl7+c`MGMC5?l#vmQ4rHRZthwyR4Pe|?7HA&VNm zRJkLw0`N9Z6LJm`;DrHTRzSv4Ov!|uijk%#YgN#oIOPfCB~k+m8hySn(IKOx`F#qL&1fjH8Q;R0K+g?ql zcut6{JP3BUd$`+ts%d(B^4nJsP>!bmn+Om;(Yc&gq@=fhh>Dj%R8FaLU}O6TjvIC@ zy|s?G;p6xnen$wrdw}v^oqc2J?tbP%7K*U2KlTPKuQYh#!%xEKCu0@uB+t963$tT_Rx{c%6u!@u9bUA?9j$N;+Y^oc9J*o=QByG%#xWE@ z!q)E}oLg*uG7;w~?n z8?v%kWdu~z0@cjR?+mW%{FjTJSQ*Gk&N-6OfF`luV90iLq}4lw+*y{?Nm!i~RE z*?XV|5!H$)?D{2J_skmmIK39$8}pj5kVr74OCl_03uQBFF%~M1ZSU;g-;WN5uu1oKGk?wIM~Z^u34rg=f9quUTmG*gbau z9ss67q#uKz1E+b3Ud-0QOl%%D@=uemS*Sy)LEnKnW`(86)GWxVO;rhe1o^LCK=xt5 zg9&(sV^R8FqLqRRhY~tJF<4gdahG;dyt+|?iNKkaQPSxwp-t>wG0rz6dJu(8?HbvF zlSKc0d*dVg&?%koCHKXyQ}9oJwcP&N5+nC=ymZC%D*ye)VE=%&149EBszNAFP z-PX0@%^t|nY+v0EJbHtzd)()@7Ctdz1q9$YXv*a%78ImNt8`t#9O_JkI%A!K%2xd6 z{`#|Wk57YV18JdM%+;4ctI4)5SX~or1Dr`?(Pf4d)(S#p|p>hi2B zF#3Cwb?U~s!GHtW1lDJOL?^GgHOo*xDj+33A)9x4@;lqIn^P+V#lWal3-G2V{3S#jLtn8~vARMf15 z?hY`XCZfRF6n7VSUa00R#giI)$g6l3aHJ%Iz|au8eXwwt2(970`#fjuGr*g`XW!%% zjla*u_5kx_$(j_2-QP28r>0*tkzs%hcw8?(brxZO*KXw`I49Zzvu!v1T%b>%uauO6 zI_bdNeUyd+%k{Kj;U%7iI6A?m+xpYE8{o6@_m|UC&=i*C6!GK$-FzF=ZR|o5>Mq~- z=_ve=wt016(py2j1;M1A!71XyHrOZOFmYTSW7?IQVj=BZ+?l;SUBa_8_o7bbDNb>k zx|}>~X;Q0j;LALm9|A9xr~%*lj1Gn?IrK}Iz^OH#w$7Y-)XA8{qr#|kl4D~UL^9@k zr%I(-oXr>6r+i9;QmX}l35ol#K+6n#;j#{xH9Llhg%=E%q%UwSTIymJl#MapV zGk=;7EYA<&YF4~q=}O2K+SRN5n()3myV&7VT4m04LAMr(9{2*ku*=>iFN|t@N?8#P zj4$JMs~o_#xJRpf&W7Wmr*}v@-K}Wxr@`5eeNY|C4U#f399f$4f#tm=mZ812SMhmn zq~kYwy|~l57qXZfTuc2L4d9B#M_<_ zf5z>fuEzd7QVaS@CK|=#OFfGNqLEMosch!yo!7(Le7C=P9}fg5tdD%wvmI&C1vFH| z#Vi;+i+t3_L*#4JW^1p6fixq0x?r}dDE71jOk_vOytlZj+6>cpS<$Q8jx-5U>p{hz z2HcPy+L;|oFTEDgcgCMzTRt#hmwCNpN zJmDNzwQ7X)_uy!XVj+gkI|;T}nT?U>UuXsfGFp4(4a^ZL5rNAp3nv>GD(5h#n#ToC z{klf^!EgML1-QA$Ia8ynpzXDHaw?3lur3Wv$Bb%fwkGQ06(Try3UC=V)uzms$9xkf`GYx#^9O*l% zoAYO`H5t-L3wFYq@;I-LV{!bGdFkLdd})Ns6}~Y> zrinTQw#hzaO&qb89U^O$JRd^$6R(nToP|O=wU*`%O$A0^R#?Sf!-Pv)_S+$&Xwm|z z5l~WHP}dhd7orqNhNf~GMIsIN zKzo$OdvMxBr~1*B6fkO7%6YM(tKOr`=VPi89&B!Fd?Qo~D&f(iz zjwRbVW-Xmn-498QPTh{VH3o6a8;qrjGqoem99gpBi`v~j%P>@Bfu%)f4?lJ*A@7o= zQf|Y&nm6Gl;u_-l-!GvUR=%c4;e#U5r>DCmF8_@D8{gR&caL~YuRlf*KY2|PJ}f1f zGCN}~>Fho)f8KK29wSQ1^Yi@k@K#~wPylwkan%Hv95Rm6w@z0n3$?@CUat~q1a2+z z$>965wdlLXPrj%R5 zc8~#1Y927*Ec`B6xKc4>R~r91Qc`bcdoyO|t{j zj`s09lZb2|Zb5ZseoRb~&0cPr?&E^Dsi=;Y9sf{qTZMWYu7TZPGG>V9HXr!HkxC4JarDGIh`(gxi*P`hK>i-JV&ssX$^`l z+0IGH>_-s|mk>K+{z=b1j@JAD;h-p2WDQbJRUQ z5RejPSGPpbS6a29m5ecS^{8nsPNhhqxw`xDL9Fi^K0Awu7@Lb}&Rw8w<5tv#njVAL za4PVmNzSjwM*R{Jq5{0W5Mo#42y#&}EMIAazuxP+rO(+=ze08{{b6fk+cZ$$0DXflKo!I@&_p|SUUN`{RPt~JH{Q96 zFFQ75h-XCXaVx|gXZ*Xzqq;vK7cZ@z#l9$nj$dtYtyNsxrfG3tkQUrnhUuLk`#>Ak zRh4CI`T1slksUkvVHU?>57CQ48n2?*? z8ag^+TX|}9caDY9=O`KgEnkhbofC(ANEjfnto^jFS8GDsEBlq&dacy7`%Jnge(2kG z09kO6&!%P%{S2>e!}MkM;SQhd(a)6Yc+7NLa@|$TA6j~cKQC{ZYyTQxjWB?U=>5x^ zS2?iH+pcA|T-TbE9By#sp8U$L-ftE6TCkAm&JF>jUt>*0M?)#WbwbX;%UaD-?OS@> z;6NmDYQe?}ps0jQ8Z8r$5_?45zV-(e14DsACyMq5#z7GdTzmV*MLh`%1Aa@J!X-k6 zVJWDLTt4erKA6Rj0j)Bb$f!Ef_?~TxKtubI%(S~um!L|l+4T37G=-h*hIUyWtCig4 z!4!;$XWKnez&d#W0PsLTWI^A&3fd;74jar9D#%v`ER)ON_QxweVcji^)Noc}kG`0m zWz^J`yQ@0!-?mqJUVxIv`J1OA9A`= z=^y4=?eDmy#axzF__2E$vth&P!=uBOOaYa2IU~1?s<7K zl@$X`mdoeJdcBmi-<`*kn=1rTv7IM7uc9^|fDcBzK_UJ#&CYX1)k0Bh(96$}b+)?8}fPX#x zr>eAq7#(lrvQ9u)jo8BAV#w%$+Rf6M0D}N3yo^@(a_P z4A9{yWzh~E&i6MY(8D}jF1p*Nol{TvS57Ij8fO4*VFiPKw?`6`DBnH9)l553*OtGIJ-jIgvr5)F;h6er zQD|^{tY!8gFJn36;;K_IA@W%{>9;u!fI6wxAdiHMDO~Q@n%kN)weXC)m|-^wNF(<0 z-WF|_BY+g6qN+xII>=0l$SuQjhf(mW#;PM*$wl2A9-WJe$I@e9Z;j#7gHedJi1P=pJ~#x@$L$ZpTLE)xhMwbmY*K;zBB&TbN@csaPpU zC|f_ixV~57s!=#y;v-AYbl}8gDc>()_}PiOB-cT2EGPkc&!?<~Xq)&SM79)6 zPp9)ZvpM)8W9iV=tI@~Lnz$&g8viWbzU*8|wS9C#_@=SETh^ZVx@u@sG}&iWD#h4a zT<`b{l=A(4GX->T{%LH?_&DJ71%Hw5waIyntB+`bk4}GsYk3;My1D(Ozt%0GZLNE) zO94=8{-RmlP5)M4US_i;*2CA}Sr4C*@YxrpAysAP2HLwWPJ3!TtE(C(@+PnFsy7N5 z+uGM5QcD9rYY)hJUGZ;^NG_`uGzMy&5=v^{BdKlG!S+T9nhSD_txu1AxfWhNAWg}o zm;uP?WD)^CF1hKoEHO9iYZkoq2Kee0`c)fOhSx4At~a3ZM2_z!Z!NqkjM132qXyDF z#z?WFeqEOkh@*aop{nVzkPAVljs4=+8kf@uy{;b0-Wa{z)Fa(Nw-%wRL@srna@g0q zFx%8xK7wfW3G8^xm2lht97h6|GBIp@v-fXwhpMj5N(>Z>?=O39YmT<)keOIo_eynM z4jEf=^~fwYH;$Lw1O9G37yN;YTrQjG1~qw&&?(1E!xIRp3KQw}d2zK)MqMfMonF&k zIL~ySMd*@aCgsC$m!IV#=VLoQnWjE6N`O$g`x{1v*9-%p=xVBs%b!bgxSc4^!uXS9 zi;IePhpuhwP=Xm2F3jys-92GvERY0o zq{G$gCeoQQ@(RqBJImGHg%NAlfH^7BO1SVT)Tye$=u*aNQb& z!M_nhl^f&oS2dpoG;kT;)~sf*eV5^#qA?JO>g`P^HY?1kEB#iKTvoQ?CQ~dSI#ADoL5Y)6) ziBh_mdL1D{ac_2QT3Q%SXq!`Pe90f;jq*21`JOC84?^DqM2P+S9!<@aO*4QTy5R#OrFSs6RelgWBt+mtRSoIg?t;Y_wO?9;?#AulX`^L@BrwyQ*0W(X z#1SjrFU`YRrf)ZK|9Uxyw5Ng62EH~cCUng2&2)CGvu|5_PSffvAAxnd@v>a@lkszx zp3#}vI3?LS;~4dTg@FZPrKp@S_|=$1c5TspXq{aun4Z?YeAguTlL!cuWW#j8=~7X9 zD>rX+K(6OEB9+9@X;ag^-ab`VhJ1LQXR<5itdnjF zF8nGTm!{hF&LZU&&!xoF%UD}nQ7SaFU{ijcfIb#oJTLGg8N{(Hh_Cu$pM@OTG*E#2 zM3Zw2ta{9|U6d@27o*;kd_7Anz%hO5G^kj<8lEbSl~UGVx2|lYJz0V|yk50KOG_)N zXB#=b^b0JFHgjxvOJTNT6RGAiox`=?Za=rSqMeqxIBiocnar$tAf>~dLXvpk`K<^)?V6oa_4Qo#_-&Xa{B}52{&*>c|2oC=xF3ppwD{U?X=0s; zr{S5^FO454yLv#M6+zF@M^a`l=JhrTboiIP)n7+2w=GCeI+OMHBKZV53}Nn2Jrd~yu&OwH=?Qu0kQ^uCD#?xbHQjzz(Lw;>Jdn{C7LhdLY}9vo>A zdYZks&lB_-ecTmtvt`YS!i6<)HB8oCy0Y@|@!hMHy})Y3@;P!a7`lF%I8J#C`}glS zub4HAiQ!U+&WP{B?%TRi&pNL6{yw=kc>*<}*g`o@KiQ05k6?2@zjWB(; z%+u1nzz$~lm~wwo21dM%qSsJ&kx9{__C$NVswc#EH4%1|Q{yhTkr>^9vXtX^czIh`2=Afez{Z zZ$9Ve+V^uyP7X-3tS=1Qb`)9kg9BHedmgzOi+cKn1deC^DXzk@T$u|_adhIPHUlB+ zE{lp0Oz&3W=6slY2Xt@?DFG=(ZB3M6NLw5gSM$48Vt3KVxf8J-w~)pYl1HQ5$50=Z z<)7l)sC_vr8K+a{bk*NkGt{NW?hBfvJD&Zm=r>=*B4LE5dR3yM9<-?kHr^tL9E zo8sQHs;I!0kv3r%)8%rOT#vu1YSOt~grq^CL-DtL_?jC2ffs!or4qe|kOdmok?&Wf z7%uIpyw6I{9UDUs>qyI=r}Jc#HdqX#>M?e9DR_7V^pD;$lA@}#WoV7cECjLRTHjeY zb%A$szZkujHXopO-n-ScZ@yl1V>WdD?uDO$i|=i^`qHKHeQhu=EO||Wm-W-MUBjfX zn8CYf>TVsK4r{%?Bk?jx$B1%VMum-Vxq=s)Gzhf*nl@Fj+D{{ddTjBfC85iqX;84# zPp0V2(*&bfcSe79*4(I~?(OPXq?Vt(Up?K{tn682LnvRzsQb*dKdk;66Ej-BK-A!r zT1J-xMwhg%yum|((fGzMX(dY+9$LHaui`PqzGK)0F|>TPGW|d#<^by{6&RY7C1kt zo(h?jQ_!HAb`I3KzObyY_jPCb3bT+2hfH~v%H!BH6VpStV54$p+q@c%)zHV%QK8r~ z^*cY}N;Q+kH22dqEvz37%;3Nei0oBU3`=1cxL z#svCk_I}@ z^ItLq^2mCh&Gorid2@01Y1bJS7Qk-*07K(FBl5{*R_< zo+{=$HMPr~?IJOTt615C3#7f#+1Q87OtqU(TwtX-11Ot5SPEoR>_{8yS5{#6Mz(9+ z+#q5K%*UnnCZy=MVPLe#FI;I-IcW&v(skWMRCbm?hx9e;C+c&Lj6X`)YG*x{_v@(~ z^6F~`-xq_VF1nkD?-S$}%?_kY9yQZm)v>1tE>u~p^g_=!l2uiA4HvxsU|eq>dK~ke z>Q-*dc(_{q-Ep3Lt8(dp^BbNeOB${pD&P8F96T4zuq3;-Ot$UO@|l@&oK&)^BHH`y z##Ms5&pYPKQQlWJYPET&wyCsj^ZHQl?6MKU#3$Vt9i4rF&Vn-dxp&{#Tyw|Di>FZM z*yY}BcsQC4jZ!$N*thCZdzmjW!j{~_Ruj8a+221HT|-g3B&x0`SoO(SMQMK*`XR{( zL-`(!ODi(7wFC8m1 zSgEFu7!~6(YZ_S)9Z5w`+C}-oGMFL9bQrliIm?w#STFGQ)_}gC@}oqjTC9wJ58-kK z_I?XFwhWFF)5&mO=Fn9u21a`6bWiR5=j5G{g{x)P6^PMwB)|Ky+z}6SIqvvxBrtfq z?G%x^h>$_(b5-3kFNVJ*J!rwlrh4xVPI#VN^#QN2r0fLGdeuW#Yj@7~i(Yn}?bk@0 z(+@1joO$$LbyQXKj#9OJY9gToaNL$WW`@A1auY@0rQO#x{O4BqrUO1Sj?mWn?Iz98 z+9Pa9xg;00KN<0Qd;+s?yEt*;kZ3IVTrAH7jCnqvz&&b9WVFn3 zI-dRB z7F|4TVEaelAvB$g2cMXb!0>ykDWMpiqoshINLFppbp_%`Fu6Owf?QksF!Q8(JT5m? zc?{>dZbIke(g5cVJWE=Cm*+upYN{wcfV_Ek_V)8cU>lTuT&E?Z6d05$G|z6pYtbQM z8hrY`q$e=-+IikXf&Rymj{}lA?$#S5emtpcn$j2!bsc{_A`ebX>C~mnyww-up8#?; zBiOLN;0T5Je=h!CMM)z3dla4neu$3*2u=Asl(8dXb~I=&e2w`) z%Wz;0OSa=?CjHTq;yeV}>uCiW=Gfiditw=-#u@S+JcAZ5WrroDKHiS_$bqWv$?sep$VVMx4~|2P9H-cP8ex0F2yDBtC?dAaHU+#Z-*31w$s!?e3iy#$M`o;| zN#N4)#f=4toPb929=~s2ucLG7da#L!kY_c=l}ntpdHOF%9q?zYqG_)|4bLJxc<+ub z!Wwd2qiRWG^R{eHx~iwiZy<-5InWt;X(JOm-hh$Wz-YJ~!5KEY-(ue+Msd(QMghiO zGMatt@-!B4)Y&D$(DbgCJ+$cQ=iuX$zQ0-xW&`{{!9eJau82e$6?A53l94f&2`j5| z=_0yxZSkVXI?9mIf&wRJyXLp}%wsA%Jn;qT%`4wDO_4;Psli$Zs>|x-lZ%QAyAy-` zDEo-JRa83`f&$f1>fU5bRnX@p*$hxuVAg@_*m8l=S&xTVQ4-c_*TlA~TUyDMn$4O% zje49VM~3)Qa`DOwR(l9~rxR@77ucI7lRi%e6NhWz&lDXgW+smf~gUVP|4$aRaPAUkmbf zo$_X9X5GK#(|=pgwggN1m0b?xa-8ga4Y2jbrJPc_&Kdqdx(DA9Ei*P(`mTK{0E20I znH|ke2un{WX10rV}h*DCthlm{=>z<-n;QsrtJ8BNBpND}m4nR~*HiLvBzBv2#Sf z%qd%ftJDuwfl895CVC=?qk%+493GhLh80H8S(7?eP;Q~kjb@$o;#7P;G5~;uk}HGY z>*L4c)%GUOA!}~O4X3)@duMla!ZdUb!@@wIs7jC-_58)$PH@?@?62O+3QD^FBpQ}y z2md|MXs)5>R#w?3cGo!YK4SH_%I;~4=ER1~ab`zlon`x^cKsrRfg3LAY`xX?!P1gt zs!RaD=XWoEc;fw^M(a2t1i%Re`^%iKV^TaLdvuEj`iu*(`8aM7oh2n_XRp=iypD4$ z7MGUVro+&gO0ZxK2T4ed7vP_$kaR6R3~kcU_fFN&;h<#8(JR_+eMtS51Ny(l)eEH$ zW>s22PSy^JG)$(GN`C`yI){1Asd;>@gkUFsr7PSeohi}AOdLyB?qJmGuLQbKZRiCV37)2HdEQ^*+bvpXDsoqU)z9ht-3nx$~C#zBi{>%IB;$_d8#F z+>$;hESIj@XXq7bDqpQk;5WS$p|=UtMEa{Px-%bBX=efTWwZt5yx?cNtaXBoELu4* zJosjtWE*Qlvu8ebb#VgeN`<eb}F{Z2N$nkKxw6zw7P>ep6HzS~&q3sb)JuCADx7)q2 zv@iMw?qDz7WJWdF)9y2p@ku%HH9y`m)iW<*d4?yLGfMdB+_Qsc2x6ez5)V18q+W%v z1*Y|squlBm$f0=V#*pE-j1*cP8Iah;35DrIbz-y2EQHAV8hsW34A zqf^PcxApm<+y3#Ld$@bBHGxR#o8w$(109;i($bc~qs9`Q4D5{DvxP7brN-#cJT_+Y z{rv+6E@vM|+5#g|_kvz2{$bW!`lFQ#%rHXWim0Uu_IjYGu|ZtbhbaAT&IYgo>{~y& zmz}$tLf`$qf8pX&K{Gn9M`{#MNM9;HXsy_*hxYUuHbF?xDWT3*(0X+7TQlu@ZLn6T zM(ubN(ytZ?TiBm>2;qVOs+FADpT^?CmPJb~dRfi?L$FrQIDc4zls;AXY$(lbsQs~sqVbTK za0us6%jJH{D?&g_=>BB8>i+7z#xuadB&_>}8WZ3WfjF%CmhY9+6t6p*%ppIDJW87Se*G9RFn2$#Ex?HH z^L*}Tlo6~MdA1&WQ%~@!VI)5O>?5*Od&}IMhVrx8BXOa-v7x#a_%VD5x+yIsc-!X_ z@e=@O{dH02b6*D|#${LW*h^*Hf%!8uJbbiJ zhvkfzqJX1yil>_hpEKOaXNZ9K?+pDvY!FoP-_QTh)bk(@ij_ng_Be{sHh~{%|74| zzSR8~5y9@NE2uHJ#^&{+5n(2xqx_%zGe0(6*ZcF&IyK6U_UevLI%MQdrt!ScHmf3> zKj>QitP+#7(=a*CF|Xh=e*kwE2=HBlEF-$QlJ%T$s?Fw)tXxvlWxYl5rBm`BmQq~E zFWX7eyj3es+ecC)TXNT(zTs}^3Ukk54~Pe1sfi z(c~MG17JKFu?;n>1jK=$Zd`NGiJ+Q!9bG*Y9c#Os+t=OMpJqMiffBUN{tU>ReA^hx z(*d5t?O|kUVcHf!7Di+VciyMC5o4$d?Gr1DdS?~};Ahh1$ZKUn@bf3$=z z=E{l51!(p-cQ3v5-p*#*mh>v#3_&>S+?q-u@6|Wfm3Y#*n^=vu{_AVMSw#-KX?oN+ z_?5cmR3F$@bhFEZSkof$Wof!Cn75?pEa)DGyB@WyY7Y#FEr9OyIM_I}qEjY;h<>My ze>Rr&GmW#vnDU6yTFsA4NLcXpyRs_wC|>M1vyF4&IJtk6@;%;%pgH88P-(;rPd% zx!Y?wibeHMp1EZ|nK{mo((p*P^rRB-^7S}7Ogi!FCB^t-P+^B*qDhKQp&Mv4b?h@^ z-RW>v;?1PIzIxLCFivQB@dB+NlKGr9>t{h1u)SI+5}~UgdOH);DACmx#Fg!IxU1AP^g^hQgfhd~O%qkc6}h-MjLinC{G&7Q)Y@Lye<(BNVy= zDk>?8LrpLA(U=UHMZym=wQxgJQS1a0?L)?hWkYoGNawEa3J=i6Z1Zz2<>o(hdmqeg zDLwm(6Va?i!L_h8xQM0UJ*lBB9L3nA+!K);?`IPNwas_yDNU(rPTiC%x^&S9a5QdE zp&U2_lt0PQE0uR%+l9VM%H?Jv_8lJ-C^*&s4)@udy)lBYS$@_Irf~w&oxEI(ABr=G zVjb1y%9)oE9_o2SpjJt5$=ujH)v|~y)}4~qAFsx{zQ{V)UpBxu&{^)iWC_#I+)_A` z(qauEGkoomse#2PZe;^qYK`&z>`t{uirSQ!&(;3a<}Ut)$Pl8dH)+(qrRRQmG5zJOO9Z}kwF+AGlB%JF-QZK8z}W3%!Sdh3yNqw* z&00u^I;D%?D0`+ORfr=U_wvwhaT-wKPjaA^d8_Q2&UlX@Yn+4heG-8fRZMRStW<{9 zLHlb_5$hJSOeZKTP+f4R#;O#LxFn7Bh7g5Uqzlc1cjNN*_B>9OlEgf!G{b*<@79Q$ zXB;>Ey+J)fD>OL>E-Mf8sJsjlemoBwBR06r4QC^!oZhp$uc=268?Y%?n-_#t_4{AV z-}MTqeYa7b=;oUbkZKy(hNUomr68d?+^HIJUhcZy-+X+lq~SLE(ASBE!wxbDKw!7ypy8Ym zZTu{KnK7c&L3_^!u7M>2`he9%aD2c(qXYtB3Z=7UC2o3=`v;DXgSIYz7G#j?`v#JR)%$&!Lkv2hwj3nUS;AL3o5PYVtdefj}v=c7wBQ1mdob!}Akf`OcP# z6;Vi5&=!*!Ne%4Y-$p>T!J&g&>gLYqq(UnBZ$09EuvOm$`V&k9Sx5T}K zS;Hd(sDM&fX!}g5Ca&`cpn;>rrewsbKxJ^upW53`&AJ@na?1n$!q5(4Qc}3sQLM9f z%2s|DG90p??4l$DyG3`Va=rw9;U%``HBU%ikk6~TdQLWfqZ60MAxcv@Zyhq%E3p_( z2MQmpY74E9rR1T;u1FgnEXZms#bsfr`ouP~yG@qrkhEd{r6f6-P(Ls$Q*z_vR4#<= zs{saVtW#m^)eR#ERQLuQgs3-hbD79dSBvTxR#c=>QosY!U@M#|5V8T2c30I41^0nM zI)Ne7*gV<+tm6h2-k)ar8dL@UbZu5leoS-JwdZ4tRFLAhQre|ud zXzNFW7|&T+UB>b*8}z3WtKGODcP_!ykcr0;7!vQd=V2VriHSHCoE-QGErR$`4G zE&9n26%~le8|7t#{JL~-U^!?{m_h$Wnh|uT&Myhtprfy`&cNHREI&7#yK7fOuRSxR zzuRk9a=6}Qb6RZ(4wdf7WCN+{O$3F0$}hS@$HwlMw<@afufgs^pbXocPKJs&zsC~Z z$!6oJOgJqq=1%$7O%|$H7yswnv?dV4DCzN7m)`d*DTyp<_*pAZDA_4*8XY-doN-#pfx!JjBb2DtXK+1fHkJwo3E*$`Oi zmJHh&h0f#1_B6piEyp!f#MyeUC;4=R_7yAi;)nCnUbt%eu(gy|5*yYmkZ}fdNziaX z`{(1eYHZXNm5u+!gWrnOlecSy`2U+0pyr2}KfAR zqeb>>=DG_Ho0)BnNYje>*@Ima^o}=)2-czcjn|~v$S58*OKr{%4gr@c8uRF^W;*(6 z2k+&1is=iGHmj$uxswcK<(cm-{S^awdO%RPg|O#O{;r_AA3-$*rFlH+Ty%Ol&z*?zE%5=_mF4V&dg{6MSmogkGJ7>!Q+)K zVv4mTVNFI*@eca?|+m_=~a=W_Q1(Xy`DOxwx--V z9*Pr^XOSWol7V0~-HyV=?nO#!cOZgD|KFafB=p9t9%O zY1=L~EuT_kh`~{!#vX&O<&c&TBMO=q){?T0NReds%kuX(Qt)JPa&Ty~EONe@4KfdZ zmYZ4h)V=)G5Vu}zth1`-V)oT}y`;aVn+}nOdAw3h{IO)CKUA4G+Zx#D2f5j<%1b;( z){?_ArIJDm^7DIdz^htJ?>~4! z%MK4imKX1@HS1ZKr9n!H2K?~}z{+@&W&5mA+!I!i`4^%HNfJgm=H)9z24sE~pbR#) z2BB*5J76@j0ws`TqzpOcam{?O#TRI?NM8*Mj;|yb^iL%ndSSMNK>JK!5!-Tiz%1iFrIDa)B`uFjk%E| zHeL-LJ?owo4=y^@U=0HKNalB$L1uakvYqiSDs6t4(qA?Z19|3YdaKzXZuB|ou_Sx) z8#2RFxT$JDRP3m%Oo!cRij55cRp59`U6Lg{X2hd&Xz0l`_GxH6V}em&tay!gz;bK) zB23RRWHZ-^!zG7JPy`g3ceNqhn9dhly2o>vE~o9mW@1zC5y?CK{myL#t;YJakFlCA z9U950iim_}`2?@TeJ;fFpIeRfro%Nf=4@^CQ3i#4?jiMO@6CN4g_N&wDeikZ)3xvR zo^D5SpspLZAP~WJl%DLP5GCv>==K`s{UlH0eNo?a#wPL<6)pEL*SgP0$hQo=pMl}a zwp3og1m&_LAnK3ldXG?`;e3zJp_)5jy3@R>(Ma#Gksv$V)3I zgF{wu)2mCas2U4HnDsG4U=qImPlReu6%&^F3`^ZtKCfuw;M^$}RJ!exXPj z-b3fmf(oIheG0Dx#{;aP^aqK1kK3lF!>4e%r;NpG%k$&2^)7L%@zEVvG8-(yTl%Ze zRZxT$x{@07Nv#6{)^&4!pa=?N{9bWibRLsNVd`@MgWcDjtp=FiQoNOS6TE$mHg=KC zz3AL>Y6-hNWqw?f_cn;`y5zfT(Hp4pkg(-nx+{Us_*^{IxjxyeOuJI_2+cTSqTsxG zOD9yxUyY+3oS%TF`k67j==VH3=V97T{G|79OZui6tfrzRWi5RzQF?r^b$rb`wKa&c zjATkuaOt1;Z@`~l-oAK_=~j9lah^=kuJEF7=De)~CB;!^=GI%No#*&m0JiU;;-jt2 zWxgB+-jUB!IjSLXzIx@%Uky>#0=J0Em(>Q9yi<*={cB%}*8PeUsxUN%f)>#Gw5k{L{LdZoM1U z6@)#fN?f2OJNB+|a9{r<MX?Jzdd;qN$RkVi@wma(Bxe{;axw@lXT&eXPc_44oe^7f+f%W$Pr-lQ z(UJE}GGg-CE2CMf`1_V7?czRS>7Tf$QhhJ?5Y9T^J)E@4V$cYoTOJ+8fAl6|g_9of zYLtCb!Zt_!C|1R=>_^nTZ%s3o5iQJoA7GNWyVY1{TYhl-Nzz43+{EBj{S)<$ zt5@%c41&b)Iy!s(+B_Fy6{eHYklCpa7Ui!9#fEQsS zEq(=eNhs;GsLb0Pp}p>2FpEq8Q&P?y8n>Xid?o5aF%wOFu=MSjt_^b<4lwoWpS2_P z@HdV8gTDV}+kb;oYM$ZGKA(F0TQl&7g#NSf_;vblBGG%DhKA#fv$OMs&=94!_oKhE zDcL;r+LQis+Q7hIet!PfnR6EO$o>86#*vZ5v^1~3J5SaK%&(Ug(_ZS}Z~~dK&JGS% z7TAdv(9qC--aGNF%gf`FaJf&i*m9 z&A9h}#Q{|3{QKVeXJfb6A^o%TiAdd^$YGrU0{En%A=%;7sJc+KO_-{(<@4(7nfr2c z;u<5e@V7Fc(HAGvXdZF$y3nbUk~ZH*Pv0fYSB2b4JPW3ZL@soZcCvXHXlcU7y7vqK zfh*V7si6?w)94Dnm5}Ek z4JI0zW|5Hl(L12LWyeS=!!@A$A4SGLZKWn#|I09%+ZfS5OVeh59hOjY*S39MN)h~K zYxF$N20~?;HcU6D=C*b2V$q@^!bU=|@R`{uY@c;&Wd~<@`#pTMv_Jl_>QQhoprytO znaWv8yonHl3xUZ$P>k7J@Iq6{#==Hf4mZIL=OkUnC0SZ7R3g+biUG|~7|4LN;cfUv za{%|<8Qd69KV?ZT?l&`2glwl|pKB`#9tYQ3F_+V+k*I^(r3+bE{26#$h$|y0v&!>m z{Ph6lc$Z>+3t0G3Xykq324@^Q0i0&kjElD1Ud7!Wh$h`+Doc&J(%Mv2z!P9t;Hc{1 zYW~d1@R`-Z{!#&&XJD4n-5U%s35ZSh`%B4XRQ*#{Xo;NA_8a3HNa+qe=*>Fvs`)6H zr8L4&B^dciLqF^uJ#~7{WqcPDS?@o}NXR1x5{BZWJ0-=N0(agiP*HNOeH;dDuF|c$od5l(DAxYNX>niCYzL7bC zqbk%RS0h)!KI&^R$mlp#C zjQbZ07a;|h!(jg764^b>r}m}CS_d=7Fr^`x?|;f1v|!7jWr-{URr8ZaC_r*6B6r$3 za((Q#vt$b*E;2m@7U=Bh@!*iWjE|i3NyQy7$w^1+(c`Zj>PEq#x=b4Cj^cpbw}enR3lq>_NH|w0lkU%xODdYO)XP-% zEEJ>D7q%(Z;&qaetFPgeFQlU`Ta_ht;<;CzUBRZo1QR)Qu^&gLDjjt7_7ru5U-+=r zIb~CEk77S0$mwwqRZpy2Bf?mLA#Iuvkr^0I3H@e3G@hO~;Yt*CV0O z(MgJi7O6Xx z#krTVm2FI(pr6(Nv@U<0+P36k{PldFAZc^l6ps=)ok8D3uaZ-5>+Ge9xo;qhct#_@ ztOm7=3X^p#Ksj3yM@A;dc8qhN`PZOu zI-B>}(-93yk;Aa?nBMBGPr|wScuvvbz2>TZwjHfLX+&PIcnzoY;!pApvtXk^S5;)^ zd*futHt9Uh%%kjzwE9ibA)vA6h6A6@cGL+QdlL7$Q^KvgLc_8GBc2D*y(sIZq+Aei zB)Pu8yhM1w)U8b{Qi_G)HI4M_<+i`hSy)=U4|wv01y9MDO1|R-uWxlHgAvRyafv2x zPM^+%1kAmMpOsNL*Bbywqj+|^TrFcqZJw`vlP5;!kX&U@2l8{sx1vsRJ;9|^Sk&Wb z8y<97bDT#>c6}v`+kRYaTmY1Qb`NRPtoCcWwc6EHp#kxk?art;Lla$Uf(#k^qbMt{ z%>G)S{!H&<5Gn)kJ#aI0l7M5QZA+t;%xjy_{g%EDX2Dls-JE~SKLUE?!iSelWXX0_ z764ceghgtruvS#lZGXVK6NG94?MC^{d|1CU=yw#vh;U~?e?wUG+qPh-VRPzWF=j2rOH zAgPd6(RfDGfhY~;O5x_@;jt6KGz6{zql6+&d|f=7l^s)fV2(zfF{REr)?p`#FY=lgj5&8ZpG(>RJjpjPDW_F9`^ z3f1bJuPI6fckR1a=G+ue&JN7URg;B0X)mvE`qgOrwTBVqVr*RZ#`S?UKDLQa6Ehhe zgHr6<8d`tp;fDudB~`+;9UWAs{a&a8)r+9I=*_W<85Q6qQZ28)n&IGnhc@qY;mQ+C zJjy0XJ`yaru&8kvLaZRjc73Ri)vv~<2{fTtH1Y#?eg_}EkL8*eGeKAAYfz;S-DLml z5u7OjVEB`$nt=>5_A7$gJphuD`kMNg2%5LSY`4s~2>AWQ+v5G)E9pMq22xttfU!Da z@t4XU8+GDve!^LwLgo5g)$`X9BBn_$$~o+Pyz8uMi<*tsX1;nMg7Jo9_eYjWVU9RL zG-I7gX^dX<$5GZu=%m;4R5%n|D;bwV3{I5&ix@dkr7}I_z0p#GMyFt~UcTsu&U?3_ zJR7q@EsJc$DuR{^ENzC=Yd+QLco7dq)F!si3_YuNG;T0pg7N0caf=AA)l2kAKjy*$ zUe)}}npJ~{3T%d#RFHsXt#xzLkQk!A)Ir`^>R-LoMvYvm@^rTA(YLd#(gESv87%UZ zT$RH$t~J$Ac_)9Qd<*)>fqsj9*%8Cg@f4$@7RE`FapEG03ddN|gB}rEaC58yoH>OiYRslh~jX z-9S0}&B@HcvgmhWB+hiARRzSa6nnQee%_phmZGjfN0aG=*X&834(84n$E%kj8{yU5 zDO{DX2i6=n$4)-rR8Phqxd)cma>MC^#BIJ5P7WL~yBZ7eVw*_{iGI2{3|F#JgZ3n& zf+&-MfPISBnMl%yo9|<@yKvEq(OL#;Y-4iqtpgur(0E~od-mDx6$#;I=oT6eT@)(N!UHCq#fTrlY4h;wK5Ak=jpZtJJ8DR4BE=} zZkIaUJD6)R0hN%1nU~jYJ`GxoEliLVZvLORC^`M@=U(jlLT zQFS&dO}9kW4|_|{g=TCwvB>lcv&T<}?@@xsE8m}a2ipC@Rv2a)u*1GcDSOl$7p`6h z{J2-|>BmQ1JQ#hYs((X2MzAUpvDE`pMLN+>^#b;dEGtE2OW~`Y6+a41dA+nXA~2bj zi_2)8m#jbobV@(ou}xFWz+hKtsLo|76*Ru?9ndDHi0-~H(R$K29K|*%p=n{}(olQ! zWlx(z#BI%5^S9RJ4SUh6d3Ffda}UQd#v?z$@ZuL!C?1Y6j=Q%VCK$9n-@q}R3gS2l z?G1tI_9n*!QEvO^JZWBJ9)MN`X|ZbYp)=a{CBx_W5jMSSj;U`CRC|;Smk-@{%bJa( zANU&tZkRnV2TcQPCz3Jxw$W~!mc-P=4d#tak95;PVWMbwjmwY8pzn|?q0%<<)ovJb zz+OcdoHsJ~*LcLIP>2R163kleg6mK5h^=34myddUFz7WUI3E18IM|JZ$oWDU&WGwc zAMHv`Xo~e?-k~6x$nCR~ESgLPYBdL`yPK^B_LG^d^3`@h4rQWQ2bysxan~bfUS10( z>D}ZKjhbVD(w(AX`MxYDeU(gBar4IOd3IJg7^MpuQ5fX}BEixTsg|=66|77;z0{ck zL9|#gDdl_-1)(Ua3xoqYazk0I@tp4jaOmeB~Shc72+T?g|VuN2P7=wVOi0`Jk zL%fG}tAb$NQBTk-fhOPyc$n$Yaaj~h(?z1B>>7}mvb3xh;3lNRoqmv)A`?*GBCxrq zeCG;md6un(cdT)WG&}HfKWium_x(J&XrpD{-e+QY2tZXR-NsYg)d)TqGBQEZYjbLCOoCNl+Gl*wMsx7~87i^V1N( zG!&zn__aTo8sSFL>HfZka@1a?Jp6u+?ZPkCY6*- zer#R$Dea3L?VhZYoc3&+a+X0wxq$tv;?NC0^ zCE@m~&N4eyq+zpwQj;n@cJ75(AH8oCrLx(0v(&EI4EaRAME`j_-@eCLsWz&9^0nL9 zDqi@a&i;?}cRG43EHPP35Ci|+n*FV+uD9{#>>T-d6H{Z)jC_ihzNj2zCpsOiI|2>J z_TEI_{9oJ$+QVNspIg{Ure0;{k-se_bzdpH4+~F#(;fuO8k03ln{-)Q)&mEBtMpi) z8U>Ws4m&ENz6FY5!{Lw*fS<>9$2d8*Az`r316d&J&}hqxkIcd3>9zSY#51o@5ff;^ zC6s{)W`J#-MS9bu+QFxPJZ+76aU^|-96hjR?PDvSlIY8ULKj{&yj;0=^0aC*U|2-(Cb@AF+Zv@?EBVxBc1A={4t;2a z+?)1PBA@@*RJWCHpj7r|SR~!XjMA>T(m0$^zARWiY+qY9h1>|8sd^Cn$}XzmWnC!L z_0UR1C0US?Wk7$?DB^B{#zEEZwJ8X&MTs+uX6fJN;>=Xi!yw0|i0kg`2HU>S^oLJK-0Qq;2 z+P@D@{u9=@gMW{%37@5z<6^Snc))c3udde__qrZaNzMwCF0bqPxvNm=@jI6KLewUi zeg=*4yr+yVSz7qu=T^@j7-xDtXd+JVHt-^~<++(BO`FQM0@csca6B2BZCov{As5p& z7ucmgVwL)9Qc1k@iWB8qg^#KN`Z)tl+v`Jbx7C&rTid5kh$EcE7yh8ax9oqHWck0b z_f*{Z|Dor9qSXKXb^kB@aG+hAMD335^c?{-94-_db|&v&ccr!+>PZ?c4PEt$hp*rL E2como^#A|> literal 0 HcmV?d00001 diff --git a/webgoat-lessons/password-reset/src/main/resources/images/slack2.png b/webgoat-lessons/password-reset/src/main/resources/images/slack2.png new file mode 100644 index 0000000000000000000000000000000000000000..1102b42112ea748ff1d1f5b0fe5fe543ec1edbbf GIT binary patch literal 24086 zcmeFZbyQp3*DjhGw73@$ElY$=*B3+HKweZ%JLHv|ZI5EL=UlIGY3PzPOsRyO=tgo7=ls zI=KExJdpr4A3lFgKUnftr0~oXxE@)K=tq8%WxUI5AQg{+&Kqr>wN4X$Q~DA1y4V7Q;mZ-+ZBX#!nml={QL@Rj%Q_)WNs7zxm-3 z+Ik6QWo3PidIG>d49Lz8T7O>wjA69TpP|}s`)~fc{ole4J{$kA{&ivB?&0?@G@KA_ zo2r?NJ)Z%q$&wagaj>sQiCIZWDI$n-4(Fdl03ev=<2%4XQayC};rj_4y|zEWm6xlx zM%DwAsAc>tUn1sFM*d}#8_2YU5K7*UQ==IiLMaMHI&G7@^4%!6Xlw{5#si2py`y{z zFwSCA#xAE{o~_Jbdb~Eqav-(jjTJQwsou{>U^22+B@pu3Ri&9!*VHW^FXBLwFZOBn?jM zzM~gTy$J7fIh5|qH^!PvB;M{0D0>E=6o1(caQsH9S-{DvKBBTf?lMtICd1o>ncb0E z5^2p7^znd=nvfqG_yq7(4RtHvPF~%j)UJZsl|A!qU;WATKX8-{@p@2`qpg|^KZ3^f zHDLAK$Cqe;Z{XQ%Je9*{V!->#zt+i=l=H7XFBqHhk0;$P3%?W@M+~xe-+Xi6CQXS7 zV-At8@p=m`cd#oL(M;9r>bRH$IdTABnmFsIl4=%Dr3p3Vw6@zVS;beS>qCOB?_z#e z;E|}y$*B>Upgx(CBC_V(WNmlLjsY?7cxX#Nd01 zp$+YA={eahPCa(thBJb*z6H_gi;ig=`?4M8_iD~NC zf;jzF91f9Hmd=;B;12_8#fe-390zh?^ZA?g?iWE*j;*;DUT%8FAY! z&1xg=^~1e~7n~N$c6qXey-$(atKjCh3GBWz!&*BLp5q-Cy)+SufrJAMB z?M)Lgd4bc6kl&t!tq;mbdJsq*@B`kD{dF(S6Iz0Z$hzj`goJNAvbbm>9LkI#5aMS$ z6nYYWl-uUiaGSw~Fg*Efw#1Eg*32ZaC66<@)%2&?9>V0q%Z9UvURqA&44dl@M)psK z>FJMfGd*it8SCo{e<*M{q}|mT`lHS#q#_Wl+k45O#}#2AvX=Yu6L8;#SAt=&$$NIb z=YUj9z$7*;DXK5@i+9_r_jPl;ZphpBf@Bo-@Ft_S-0G-+7LsEQ`+E@~@7m>aQ&@%M z{n8sTQcD=6E{p4>*c+L0s1Xi{@UODiRj|q27f)vAoV=}Pt*cM!O|G3?v>ct9G>H6m zt64CJe-=?JwYMMiBk`+R z>}vu>4tFJUr5FqA`=;gjlA8p+aQjlUhKM1{Nghl-01^6Mqec@P-D3{mz~AZ5l=r5E zzlhiD;4|EF@F1O$F6uum#7xP^>E8gETq3Iy)t^1vDVhmB48zBR_M!Bi^r=wij`Bk9z6xEUJpQ zBEg^)SA{|VxXOynPS*>5@bH=7>RX&X9u9BoYkCm4F468M-Cw3Sax*7-KQ-JqaacKa zRZW(0B=2e|xY@Y9=uSh{8Ny?*BRU0_3EJ#7HoDt-Kh5-tejm4oLU&w7H-{(H4FpR4 zWFKlCk#D+4j3BU1R!Si;=m$j81W5wgc$8x>$=STRoE|1lk0PEcg2+t`{72*tx7}*_ zp1mb0;&ISt-O@$p6mq6sVUUvSxRsdQUseec-e1a8H=uc7IDk#3ib(!A(w?Y&Y&`=c`*T!yo;*D5>8~E`CD*-;QQ+F-w1@bShaJZ^ z`G)CV3Xy{?@g2~BhK&NAcV06i3=aZ&#XM11R{i=9&m!{E-2xl_@YBBrbz0DLsZpU; zoi`FcQL6zFRvAyNr(Zm0?bK%nFYe01z0&<5v8236G;g`9?9ZZ^_+R+E!0^1sWz2%& z^PiGHph@vkWI7RB*VUFBZYbTB^7f}|UkmPITnib?fPw+_x~YBP8L}i=7xl`M#l(QD z%gblaZaR4JQ{YPtu%~pH^|du~w8>v;zrN!GYzE_D0fJL|Ec=Ig=q)&oS22|4@-_0z zV#MNla)jo%nDehpr=KO7SNmTj{m}A$Dx$O;%^*`y-SoZB_3ZVz`|-PZ_LMO-9SDYA zY2#9|e#>0)d8wqXy!aQJ%AS%(Pw8IZ^JnkT}y5+MM11 z*^eTo*ybDeQn3QAx$rKq)L3u(@(hrWuOMyTK-s=YC~O0l*g42n7S|pjHVkvtRr}Ll zR5-a#Fc(U5J6OS{YVoK^B;{E(J-+8kPiDR!uIFy~?AtslA#8hMLK%SMJ@E09vFq=v zufS7*m^eFe(KE*a>95Q$IxVC<6s9Z@`olcjYUc>FrekbwdbG68y&@aOEl<)+wjP%q z4Z@xK$Lu-|If602MI@9b!w`!9gRF&rB-#-G0HR#?&7?1^^3zuaqSOu35EJjvENX+p zyyaE6!J5y+JI6p@f91eO`2@zw8w9eHpmvq#sSpJK2k zX~d(p-A3hnkH^+#=V<(h2r*IB&WE_{Cx%|#L$Rm7xkR3`b}T*>iad1iMP+Sd+po|7 zv+bQBr`np}ef*KtQV#*fRdAfNM@ijQ5V9ISiq`v?|ti^8WmJxu$W`VnKAefm4f<8-YRf4pGvC0;Mm^=JRZR zOfwKH*~2qqXNTi35SyPxsfEIEoP6+JDk^j%kX@ zApy*>$&lW2go=GnMI-mpqeuIGjnD#7&aW3Y$wDHTed`B*x;c*TKMZBo5s}&NQ4(&x zbsuRsa!+!au-po6J=LBjki5L@vM_fuII3juw+Mz3PQAr~1@H_6! zX}EE+M!s%Z*-09?1m$qAvR?(qS z9B!Vqv`s>E0pCk%z8f2J-)DVDcUK9;f!h64nQ9#L(rSp|7f;&7 z#hYTob;V#->vz_#Ph*(yxp+43YNixHr~hzzpyARBZ|j}7re!H_0aiVOP=T-FS#{I$ zrnk|b@aRJH)@1=-&uQ}-UHPrFxC5(L8XUu+{&KY+2-t|j`L1b?b3SX+UESoo*coBv zR)Nov_A@CWYDh;w>A?8@<$-#-N<^{K{_(YQ=0Qm=L5HqXf(*@Ngh($%M0_Zt08Ao* zC^J_UKsd9H@u$^M|~$m)pRP(!?Xj z|2997uy7zmR&VZXj8VY)QmQ%6Qr|{v=t`tu(BH>bST0v!s}Ry|yV#5e0HBfpV{ocz z294jM$(-;Kw=TT!dx%Ofg`)8Amn8&|zO@Y*=A*^$t)E|lm3X}1g-?)-$C^7dpR>6d zZy&NETo1Hy@NFst9tUaa-TcC`ucC)qx(5+W-L+QzbSg3d-k-!&gQf|4Qr|JgdsiF@FC(^BA+yP zM+xlhOiPf7GtzDHiYrAiKk+pxQ`amPNU_u4fELf!t2a;W7V9}^3WVTFt{H#jsKbj2 zD;623Vk;J)-Y6<@x2YYJQE^1@~R_ADgZio4yMlBRcxQz^eV9Jjt=Q7GY`7-61Ha@jI zr={{oU-K^Y_%f@-0@QKi$g+}ug(WOHDJ-3IJWg6=2|y(_cVG89VIs~h3!qvr>`j=d zQ|q06ZQb!*C9yPYBwQWmM}0NJ_kVjn7yJxLvY8AWJ5@{A*|)7U*dH0*V(2YE9}#G5 z)##%tcTI=gx%yGe`bvu3C3bb^#y7n?JAIARkIy=wNcXNQJMk4-1l+x%y}kiTNsml7 z_>J=Ml4Ytu3e5v$RTHJYaICg0ZhF<)@iw}SYKV$x=5#wM0IOwC}!E zRU-mQ$>&9VRXFsZxcjlo-d~H0ZqM1p&||_ZMUd|kqr|m)gO_FL-!kAW!LTPNqf}bm z|3^GwNVGdB_6GB6gYh=oTi^Cq*Vr`7y;g;Nn~h)7i48x&(LG@MO;K&2uP~~Idlcvf zPnh(%C(myK3wtrRbZwSW61_ygOsrGUZ0s05qXPWoK3#VVrqniWdmm;lK1FYwpFUgu zDY$egt#!hMp97r{@U%`(S1mB*tEwT5lKK&s^LWRFjG`c+jtEZ|2?}Vnput(pTqRFE z920S}Q!0LFP$WD%n3WkbAD_m0Q6`kNy@w#8kSAJ4zj*-)4+GsQg}IfjS#fYw_Edp) zyJn%C*cDlLKe8yo2uZy2sabPt-F*co&E~I(#w*Ozi{09`tX}o2!TB+A?DiYsw)59e+q^!Z5dfDN*$=}Y6I)|vKH!)&-429HY`OL@cGV@QGe55nUlplK`8yco3b)wdCN_I!L@?ZTSR9I{Og-#H& z?846a1kA)IQiN#I4OaJAzkhM;qpyg}f1I6hT$BNUf+ANIZTRwMVn}XY9cKV&!Wfg} za`>Dzj(X~XtbMmflAJ{kD9B(G_+9ZIOQvnz>h;nn1Py4@WR;B$Q@s=i#}Z?VGI#2( zRX>A|sT&yh?(M$8oWwRs-MOm`R_t&&2(1ie{C#uW#RL?7m1&9mU^XfCVidR4#vS1H z?|!H=`Yh|;PtxpIvihJ4CBluwiF}b0k~_GocolTzq07@LjL+U(&;m<-DfNPjev3i9 z)cb;-Zh!bSSj9gxgl_ zV~9I?5>@O4wkL@#_vVTT5j2}@I$U56gFqp*2IMOK2qqr^Tznlh2*f<=*K)rJy_70& zoO*Wq#pyr%2F;R=^-uUalUH{nxkagCA<6yI?lw*x>Pz&H0e9Q=%X z=QW0C3=}b(!`EkLbFGXO@pJz4MyGz^Tsq=`KJ2o|j>{#N_sqZhcabet8x}1cSn1#-Rold$3Fav7D)kjt(&UGm{|9$ujY} z=@$`x3@^!Q92rH*s}Kx)t3w=@_Pg4#mumwNnKa&=Q6M?hcylK|i<3c{oqQg0o<0O` z^Ym6m2m`;2WOg`pecqo4X$0>F(wGC&Yuoi@O#GP;Qs6G^#dn>9V8XsRkGBUwFmP*#ob{Sj;i+ z0I(56`(@cBYd?DZBbD_Hq*9t7fh`m%wM#GrN|S z1zMisTP@8<*m4u#ckW++K&PjXW!|p>AzbzIE7lcz%*@ZFgPwIb58kDE8}B`g5Q0O*Xf5@1mscP;GEw?DPZgQg`1wP$=E- zc_p3X=l$Q6TrT%M$twK(+BSmQ;^ol{$1*clPPC%X$xli4bzhkb4CQJ& zvzc9C{B+ks(nfoylgWHhZ=d*o(q@nkymL@oaF|Xch!GX}D)fd0ghIIs7fi=uNKae+ z#gdmhLh`4#C-!dHZ$;*hyHLO_*3~UqQb+<}^9l`7;%ldTXa+l`ew7tOmYAXEnh2lE z%O+yLo<&Le`1Y8QNd8oyOhqKfW{wJH(IU{^%e3G@GUU?#op4Lp$r79P4;p*SK`Hvu z@72P*H=KGvApH^ChYydI5L`8%`_)#Qm>Lf0Y4m|Amm9>07>bi0Ek-0-<{)CA;MqNx zqpcfw1KPB_LmvchoVFf5r}#GPW(CQv{vP#kJ`i4*-&e*6G>J+LgIRc>hI#HURJbr5 zNd70D^Z+L+QzN#+b~gaW&(HWaf8z7Rs9AXM{r3`scaCIK87gW5^N&0e<`r`Xje;}~ zafa!2*Ud#hk{4;Z0#m=5yHy}`KdwgcFduj75EsFZt)ZVGsik*+O1I-e@sW zMDBv5JhxItrjzotsz1Zryw{2^r&}#7X+g!!FFdBv(A)6C*75c4UKrMI=|cQdH3S+EjHWu^Qlg~p{c*OWTqLGuO?;HCF-#l zTBZ%N*qLvIEffr}zvfI&dlatLVKMUgbtdAll>XS+87SfVc$0Kfe7#jL^cwYHXNALB z33Cpk+oiyLX9d&~-pas+ENjX?9;g3CJz(=F@imIr+=7orv9R{Dzuvmc$tt%sFIFnK ze^hh(*B(HdCj76(McIpLr$g$`V0S)N=H{ny>VLmnJ&U8P1a+|8-6C;>Fem+ zoK93n~9-$XN5-Y z9DiMh#_|a_RJWS1J5?rF#hW$NRqYFz%E_)bysV5y42z0TJ&uRIn2wy>Px)kDcwNjI z6W)oqVJsLIIa{B%FDvnR-Qbpoj9cL>bGRBLpQ0Nv|cxq(3;N#zTBabpyT9QR|BC*d9u@l!()vrWx z8}G`+vvu5=k*tJ-gmU7?6UU7#|7OiJw_mS6K|e}ZyWbD$>)hOWWN>P;^uvAA=7pRK zS!CsrshNf=8JGdA2KLyQFz-AN#`)PkJrPCp8u`qpUIsH{b>MtD zWv}QB24ub_#W~fF9#;oc+r|)X@2X&9@lop`hxM%;9IEhCMTKD?5S>gj48oG@X4Kz! zTr@bfWKU~8OrqV=_xQ_!tq9K)Hk#!onc3R-i(@4BxxyIy&;h-Rz-A^`61zcCcxFX^ zNe%oa_Txr-I4yoyyGS#rqNgp_Ej+CV_egV1DaxG|2K< z+^ce8s2=;xTBN$Q>)O~U2^Tg<8?(&QsHKzy$=lk0hd{=1!y;BFG9pQY95P5r5<^I< zr(%~k5B|L4#3xgZ_{u35!PfT?^adD^py1)ioktFg&7%j7&*?J&f$|{Jy_MykdzPV) zwf%iXP%cOkKLujR+>Z$Yg$;mTC(+w%W1`)6ka-9*{Sj=G(P-XU}5C$`MRz+r8T!5LaWnfzb1iptKAM(Q74;x zGQ{fIwY14JG|RD5wevW|RNbTmiieyvHCBS)!W+wny)C3hRQ!plwmMW4Nsq^z!W|g+ zF?94v5MKRK0|ihn-P5HN7r|ElG6$dDCt#b{Y!Ik~QsG${)KB_(>(8vvst;`tUa-L@PNB-t&&k_gl1YM^imAtpBm$on$B|**3Fu{V%HH@j0Z zy=zAw=FxKGvb3sVk6zWe>Dz>6T)txVTUF|9>+veN)JM*1??fD0Coh(ktw1twwp5hG zv4);^x>N>Uo3LnH2o5QB+Y7@w+|T>WjOrFf_jG`2baE_LXUsPBH>Dh0hZn?l%xf6ZIuC`m+=)eRW{=>SCtwS%Jh48; zHR}I(X;QoeAzjH{vGX^+zHA?PfenVfTSJ$(WvJP;nytPuCL70NMnha8L~r^hEzd`~ z>*(#292}-P{%F7)3yRD8S73VzF3LAkL-w8F0$dxInZ@olA6p$m=Y#H_$TL_9_Q z#HTq3$P5I=nO+(M9?uYO);9l%FQfmXW}~h?<$CNJGG%QhH(end(0ybtI$^wY4J=^R z5o@iAUHAZ$D^{3(?BI|J5^3zohHp?O6C|3OS$QV;e-53yaL1S%@&y*8eT;J&Bl5aI zk-T4Tdl=-qEld=y7#n~k38`f$d+}OCRB~pp5TgHxX)@}^X-FQ z=mO>0?S(4u$TdfV;LB7E+vBliUzsNP7nDN7 zFz^$|5MmbbDT;emQr!)*PbB&h$PclXW_kjUyT^s{xKVi5O6vQYPr!Rp==q1NI{Z^9rSyN;qVn7 z0Y>tDrR|F+Dz7l-2)Efw#jYc`sQCy~or{WH*iuosbffp2iIQc{(v7Ou#ocl^j|G}#FT++E1D=q%rqA9_!aO>&DMZ&U$%;H z1jPJ2P`!U z8|%*9Z>$rS%Aa*iUPe~$l&O>|`|6$KL$yZjk1&O}d06o)H5p~348#?xwNNNv+@qPl zmVxB42u@;G;Q)$;`R$KSvE-3jweOO_!9I2thc&=a;6yXKfFDRMn^p5EvVT!h*7F-mT8876S9ge+Yf#=guLWqD;Z z)7|8m864A4)Y517#)}e%5h6C0DyDy>J)oxKsIq_rI7B75ej(jdVEZq~M`vw`kF27UWA5Gd(epeF+&AF}QzF+C64yJ08(F|*)s5=dQNUkNo)knekL2@g{>9YQ@ z180c^{h84HNcQthoP9;66Ne9#>?evDvlYRpgha^1$NVI2{Ck+#qh}0kVqgU|3rW?c z8#_n?ig$D!+_*XuUELmL0_%=Me2_Lc<=qzJ)pRKCnXOWBP_=ujGS8uhn;+*wO0V(w z{8_mW1Iu4Qk#bKqE+~Y{N;#u&n8)Lj&SAo@SvdQKi*H7!^h$%No>u?jr0u0aB&ulP z+ZIn~9dt2WRdty$t4DZ8j!hkMfN1FGOq2?O%9{Aa%lh@fiypf7QO%|0-3F1SC6pxF zAMrz~sm!mJwu~c&HpbBzrGRqDr>{Vu^*?=u_R2ZM6r^%B(5P-Y`Js`oJ7E6hE>c@} zQ)c{bPs7i$a?gYPC@JT^X4GcFm+K?E;7XPUhlh!Kk2kxc-3yDHDrtvH%Pa2S>0!?= zgPvc~`dv6!37b*yS;B1k^yM~ZZPuzKhdc)-IK=IEd2lADj4;5?|1&R>>*TKGelX#Y9R4k*zOp^g zs9I%#Kw|c8!g&7yKdf_jPe&f(9xLljDf}aR9>JS4QG{RsJzBSbixi1XvI_+qZGzJ{ zFz$adZ}Lp&cXRQmI#uN`TTK)Iea3~(=9=n!b{3cGte>z~qyHUPn}EaY7nvD^6jwxE zKeAZKTdEOp#;eDTH;(TpLqmk&h09|wn&Zv7S)g~xU8iBN zCVr2w7xY2t6Zjn*vb(#-0N>7b9af0@4ucmJkF!3dNq=?vBfI?U;(q+NDf;0j_4M?e zf`b-zFM}s?R_4($-Ra_1{I0%WxOssqhkQYV#;6>+uRscvwyBtInP}qQ(_{9q7dA^zPaO(~vFA6}aj z%_}i_Yq5NE<<|E?yefGi__KAX4i#H*Z4=Le2DrSoto74j#b&Eb?}KiybLrcxuT9F% zw*fzSV|&=)V>z-vv|3KHJLBvm-tp29|R&gTl%5Y^wk5Z-<3sn?@ooem}X|BzFKY)g@7xZda zX6AKFjmf4zO-xxY&2D|E$T~TeHIZ)TMhOHqrj7$@hL(%R{4gCenD!sh?_=GCB zx}-W=cqUz9C)DJVqgbW2ysLe879uepe$Um~^1lxOmL{n1}rxE8LYlUB7Wy551kIRFyRIQ5On81ZY zFnV_3MZgb=MLzdpxhy~F05R+`@x2H=1dEBIRgJ(_eUfz?t3pKMzL zZ~nxxQJSw-Io7fY=onl27<*eUY)p%W;&a^WLZTQHoNEgRFR5w#3bqi7+fWq4pkacUa3oUos)>X z*rn$HLEFF5AOPUK+dGl}&&2_4YXptjeN@m%Y)(p7DF9AZUYibzN*`ZWp>|aQtoHp? zwu%22IgD-)Rj}cBOa*9L`+-uk+{qHHkAIk1+Y?&!Mh7_7qqak|iR&st&x(b`JwqFShvg{S*9SRX+HO47)QQrXH?luC8@6vuk}=$LKxCA9_!f_QHIF|o zrS_c9FlMLNu-_U&9ea!C3#wLFB$^+q0=@S(joF$+owB#|h>!Hds?WCf+0ce(1Pz@p zB;I7lBbENu0ze%d6wQcQOnuKV4N5j6vnYvViI1+DRZac-OdjkPx}>v8n*T&yrT_iG zSP?@j|Ay9$o~6LW3YOjgfu{d(Qies&&GU;}*yd5Tv#rq|uQ=?!oM@m3zoKqfy{F9j zM#S_6ac}qK6>IK?SV9Nw`i+Fc_Pm3wJyWeY{CG^8JfA}{Tx>&qiNJl4Aj#8%w@q}4 zQLPKxo(=uCvE8?&ssK|MCg<|A-}$rqrt$G&agRUs>zz-5}scf|8sQ$GHabU}jZeP+boeMx?E=u560QGSE>}Y>(T9GWMOhd9A zc%m)CI}LA|GNuFShGIcIBD?8KYGj7^-&WIMoFjaf#sVi9O_h2+lDju)WgT>}7VXuE zyKwNk4?!?0y~37?z`554ZE3VhefINIfJ`M;fMfD~+1-o3SpItX@Xh1()_g~~1?SY~ zcs-WK&e9RBBpeyeMQ z{DoLRaSWOoNqW}hVvDn9D59a&xbS*Aa4zDhz|BT23Y_nTmV=y)m}7D{_Jv>97B6N*>eM1@)pr+$a{Oln1F4sVHU3`tB@}IVb-6=$Tywd6`>;MkQH*sT zk(b?EbPg@nm}~t4^}l?j+}tsecQ~Bhrl)}-CiZETz3Rs*jD}makR}bNTRlyh2nhh0 zgrqo697*^71DhXzWUYk?=s=jLGgOe4kD~&_2@tnto>AlZ-3YcV-Me8YEV(tK#mI8v z%@Q&BTu|rOW!A3g_XZ-W%NmiI3qjtN$4*yge$nzzAuYqH1vFn7U(A4QFgo3Q&zuSd zdQt|ZbCe}P&Rut5zd!0C@{X*RdQ#2Hj@&VsU0UBae&TBVjb{~M@z5ij$AAJ)!QTUk zl-2(q(RUf_SglOW`5$$UJ+fhT8$|26-ePD#dSNnMRQ*CKCLmo_qY3AuDCXtYhU7BA zywq%0Di&akcZB7;`2#Zyn2%hBz#gw7X;$c%Q%SW4zYf%%8}M})6&)$1!xECRbdq( z3)zgkGk9B|B0|rcr#1W6KhNntN1xo9pS#N-U>u~_3E=pzn4+h**nifdVO@wcC zX`U8T68m3BD8XI`q`$~oiSDJ#uVj6@i9eMob3`erl+qE)TTHJM0}Dtvl80)DGD4WT zgl*j8zK0c!Xz~a16U4~@b#dGu&EFmC(V_6z=={bVU4^r30pXp)%yVwtxS_SHbZ3!> zJSieIqKu~QQ&m?6e9|mCm|7{V5I40fo~f1Xx~5Gl`oCUe$(}bC&W?{&WVZ26*MB+m z{KuLs8$OA;O@P(w>19PrG9}qLn~|jdgBrfMFD?H+Bcp!-ymXcfb!n+Nn!RsG8MN6sCoaxyF zGByUo#8-_UGCyfLlu{y$Ed3?eSV{`}_pI%?_uPcn(U-4Yk+Is%REV_PnlUaL@@53h z1$;ya-2&I}04%u^HX%&4_4S^*3%T{b@l-8nlE-vRfdn^qm}mE{Oj7y6Nih&vQxPjL zGk&U0bPlawine#Dug6?Y{VkE={|p6I*O620SRXz(a^I`8N2LlSs@$7vl7-UrUzQt>7xTEl~Jl*7PJ2#SbugDITZR%YTkp;iupDWCOJ9N zp!n6BRYfK#2B>Lmr<$qTf&x>!3i{EAe3!0`d&>8)Qk7rf?r?k*T~TOhU%4fBc$T|Wn1@u)aUeG?_ z8nK#vYPd8M0%hEZT}y8GDU1J=cISmu&&DSJ4lYXZ&L=#5mY6`xeDA07W`l!Kr+$f# zQUg*8bDK|ZXhe+~`S@hgR|UJj7b-JpdFzBl6r!Fkqaf;%ql}%v(f<=KFpLtBnlAXX zJH4_3YMuZ<|QMi zjxbB8^zF1qvfv*cbuEOs$eEVAScY`1o*agACjvXEB+paeeU+zmjY%r*;S!)Et~QsK zD6RPC!v6^{kT2FLh>61-Lw^;bJyG}zUY1T19x+VbIg0*@ODf+2+|#BJQQ9*+{Jfi} zlF_izzV$V8(wNnhHzCl!c9}Tx}c_7a|ubL=k7YDp?L=_tt2 z_V@ldD$~6fDU}f5Sf|(~#Gn_yk|K}NIBugy8_O#-5G%?v!enY+yfD2(B zBP$lo+}4Ehjl9#!>9o3TOEWH^meKq@@wtI&e)V%`<+L_t{RhRrrQBOY#9-G?PbmlI zT7iX`P}VZ>z+;Qcz|&VUZ6f^by}&h36M0wZxZ=wEU$w)DnFMu{ew|3xyWQlhD71U# zK=}*l;)0!09_;k8laKE6P3$bF%AJXYT5Ku4fUsp1?TcLt?1FrS=Hj&3KO7vDT#Dkg zT-ZgXcK!Un%wQKFu&_x#N^VTt`^a0=+{$}M>Vf0jN|i3K17Pv!%ZR{U?;9snc_U0N z^VDtodMb6ga7v@jVfJZihGh~eSfwj8&VM(8D<0$C-e^0rlwZT}JeyKCgX+yCF}K&dj41OQOQ{{6oI|4U!| zEr}@okXH^!_fZX$x4ucPk09?ya2qj#yRu44N+?~a{yGtG^%}Kr4|V+ao_$mV`rq6R zk};dBLU5EQzZA1tuZ(-)GWK8DZ6c!5P$hx#oL|_m=uAIDX}cLOi&}JL_g0hMqj}uv z(ViQ*044e_u;V~SDT~olm(Tt3xyRyq{q4z~trN53bO#l*<{B#T=|ve@5pA#Ja%Q5I ziguJ|A&L@0O5l7Y_qJ<53L7)yPD(EkZ&!|8Zc((Hc8dm_h{_5UCd{*OkecYAju$Y#d8CuXPsHLGK5!j`B;_obht z@4lM&|EkWnKlMw28B6$ObKbhzG)U;piJ;)awkLi5FG4&-9vjQf1Kul|C?#lyWp>^C zgE+j+UkldTH0~Tj2ENVSnq=(oA38ttfAB||ULfQ4V3@eDYn2;Ar2kJ&i^P!DQ;7y7 z6nXl}<0YUD5fM-ZXmj~yV_7G2+*Qk0dKHn*IuhwiWWZoI^l3G<+I0aD_R)vNWEmBg zk2mc!zCDXWVvMKS5eK(!`!o$Cw+_bLCnQ22I%dDY{F>#m3ex=%$JUQKNY<+@f20aB z^`3M3Ez;lHgJx`Ad1T1}E{~AHGpu3p2Th~>szJ3&4Pc@oYU)Qz7fW@A4^xljvn@;Uz z!lt}Aa+SS#OUcO{;U`hxKfAcIe7CsbTXy4hzG*Rc5x6{TxPga{k8My4zh_Yqf4jGQ z-^RcC)Z)o#Hfc;B zZgLE}Iy!iR?!;#9pD|9De#fCa#O;_+jx%+iP72CAcbKU@e@S^CvK&oI2VCS|LZx*c+u z*F6_o7}Ux!VWYvQL_EAltI3v7EMPll7|m)L@<#(AmLiF8KtP#*icBjm1*6xr>35x^)ngzj!GDnq%kucm0k48_RGlgIF zyKpF*ji~0X$K<97+NWBFYcp`R^a)0J)qQ`%Rz`sow8J1tjRH3J;0eaq{?CmD-tJ~9FjnG8v$dx!h2Xz7Hbyttcd)IgP9=%Z@Iu0S+*iG& z7#Eql9Ws|oFKmuVSRX$$B%B#}`}^|~n(Tc%9-L$mOKdEPyVUefvVo9Rer|O)J*@-6 zPFGRZ(a0)+h6_aJGC7|MBoP(mV~+sbS|v#?eI8r`-Co=rIJCIM$d-&TZ6m^syW-0vg9H}W-W5`W*trlP+y<8kb! zwRM-YFN|LQh#wk}P_8(8Gh4)%*REcLXoN=~IHz2395eAliSuOX^{5SM)mts^m(Nd( zmjaK-7cQf2ub+hKIyp2yj!h=7H5}Jr^qOUF-y!`w&V3w zil~FC8cp8jM)BSFfW35s>Bc3Q0d~{4<3(z}dpE5OOg#k^k*_hI^M+ix?0d|hI8GbI$Kw{LTTrfFkD%Vpov15MN?EX>(LM9V8=r>87`XH9cU?IHPB zD`A?pmg~txdHM;WGCF8_EYM?ddqlKsdTM@R2wH|dd~UvF+TCO56sYqXrQo;_79=;~ z;CF3^*ERUwKQU!yE!s*y7kxgt17K|R`m)s4^>pn9YSj^?Mq3`vl>baHGfqlC`yq^kd}s; z35gn0jj=?krUpTcRfNPCA^FmE*Ijq5yYBr9?%ltfb=KMY{IJ)v&pP{@XK%eIcO*xK znIbhz%l`O7b}Ibul-ID4&5Vzq&*)XVA*%5Y>{yJ-A-w8I??CLz6Ro$kJlVLgDGaDU zo!DAlF{=yQU@L;1ZwTXk{GxUR+DtZFo=?qF91~M8uZ>t=yQ4Rhf!r#T&&kmGfuRfZ z@xx2*KluQd9Uu}W$VMO+?B3IHtG!)3tCz^M{@LerhZ+tVN2mkWMl@zZ%4`JtNjs)f zybIW5fl$q){${~+J#J9y&CeIdg&($zJT}!&ASmu$% z@y&6+)sjw4H`EZ<(uVFvT(=NZy;&5@Ea93W@YKFLH4XCUqn3K8oY~QWT|J%)Jb=PH z%#31#P|vhk3FcYw5O^Xo_*EuLoHvIQwffq(5nH6UzTb9;+Gcolq%c>ToO4KI!m18S zQTlP6}H_eF@ zKl+id*0^g69^z!u$es!DKIuwYeYr3!B`cHj4ZU^5{@5IBQK3^6;yc@s^2r@?H?m@r z!BRI56!s2eGD?el$}w{Z^ZmgdX84f1YAyxXtN&nJl@lQY*2>awa1GgD7nP9!HCrAV zC_4N#q@OsB<4^VSi;o0A`^UfD5B_F_OV34W-HluyGmC;*$htxLCv8t!^W;JpJ25Ba zVlwOdLH0ZeotRD~6t30j*4Nvws^?wD&9B5us;b!psXpY1suqg*C!MpAOQBU_T`m&; zaYxH`A>tR87;`~zxJh* zEfC#Tqo1l7voAbQ?%#i}k#kSfTvqHEWZdw9jXa_?q!s93+xb8NU_H7XO!&01@)7(m zN0+$Bqe>3 z0o2hqQ{^g%0k!79+}w|nh?|u0mPRboHHkcUG%-gL%p#jcvnVy13$;!0I&-r|{^TRq zq_+=g4I5V;xYVaRS@}_DW zwd@dJ>acGMSkT2D0-l~vtQMh-WTdxYF^}>!&?jEVgb-|D|6~;LnL&T$KRkF6f2#7S zYZw~l-s=GXW|yfvyvUEE-9Y=_<_SmsFG%5VY?IW)W

5yy@HYDRp5?OovwH<`t@7 z11+L29=G0ojT-9F#&B&>f!~&=tIoi?`Lgc;C?cM!xrbavCU_^>}hFP#ZLBq7;u4? z)T*n0G8j8z(=aM7+nX)|K%{We8GDb|8ZNmVt{3-{APvaiS%y1$A}x3_mZg z9vwby1x<$}TeM*VVPHW*drBD8Qf*MgKBlx~c5KW&GAtu5!6#NnG9J3+C_#2b;HFS* zgQmcc0n}%=E8X7w0LecG;~~y4YBO3VWQJzarUt?vZmf7~52QC;GpQWy9T$g-O&xqd zj=US6`N9u}Ya5(7r|R^nC`6Y8l*zwB&_0Q6e;$^}X6uK7IMRw$g|l6nib{u13B7#A zk+`oRpsXa74HOG~#c;Gr_N=Ihod1f}C>FFfZu8d-vf1rmWX0VB6@Ao<+K?F5z?r_p zsV)iv+&S&7tp@h?qanWC_eVY7g1Kiw&Lux|gf8gm17&jN_zwrch9FRI#^zKDS*?XJ zfW-v!k^mgLB-DTb+xd!HcCQY9op!aW2i|F}jZVCD`m;!qD?7h*emyW~b}h_0W*xRb z4xs>LveR%@y5KM%``(;N*qZc#mhC?gAg#K2+gZrvDSRJ_@E&{uGCgUB`0+rM9P=xDsE5avD#FBlvWWya3?cpF8vm5^n>zv5 z%U>&rK66bm*zjs;9lP^51(_|4o(b{~eegT~u_$jvxY&emkYA zce07rX%LDx0Uo67ly!~?8jk>_UFN9JHEWW_lXYN2NI*A%Z{L}I$41L%1B=!)ttPzQ zv~UcQH21Me2wgJ!0J<=J`x2>UdP|6%j7TQ8stCBjDX-zvsdM?!1xU3oDY{Xn(1;F z#?TLwO|%D^e|xg1n9(niwcuj-&FMxll{?)lHIo(rQm@|dMf=Fus%Q6+Mi<|=AdLCm zJs%|E_-#H$F02YID6mfvUN*>gKK06_jDl9DYDMoJ#R(t@Zz=pDtU%xBR4N8zW_883 zd21dOz5Ur7Z=x?+yWIqFYSgc$!%775`v+ZG(1*xt=S9aklg|Gbll$yNdy_^`q^8|SWGAWo7YOlC5{xi-sB z7W&=%J{nDLNZI9ShYOm7+9pQGUID4dE~xaDMR~s%1dqD|X8ln^%Gp&F&!tNQ@)S#g zJ2N>c0{`4xJ)Pg>0(h(afUto+wr#ZZiCM zgZmmiqO51#E)5b?pys?@1df_RYn%WnsWA`JafQK8&l$&t?NCF9HJnQxr7|LV1=!EC z0G4616?;ogRt%MU;tFng-$GiJ1|X`ch}+*+By$~-Avx58%?sOsg|uBw@!3Xthbiqw z8_6;^H(yo?VA5%)0PxqEKwBecZ^i6&R%Y@vBkWL?xSZ+TW@LCF6I3=B6pLqsYWQJd}_gDt0WN&$Ot@DH;guMq}nbZmL>saOmN763l z<$rZb0pWs$?m_Y{=+~c7D@swehng*YtYQVOe`f^M0AaJPr5rwHuic_xl~)IA<+!7# z;1-c=BOLg58l?FlxoVGYxct|_>~kNNzzAL&6UwL}Zxqa#XuoCeC3z6xhs=|++u6-; zqGetC=li0>`I8T>_OA)f9hOWV>kZwJ%L_)WsSw`+eRVll|9Xe!ZF76s)uH&^%^w;7 zlfx?Kl4qtrseYUqO;r;;-~XQ8N>jaXB-b-bE?#9K*Jrk4+fE#~! z^dk3!$R+`7nC2w{5L>~rn4qn*7y@@ha)@uU+V@iUw@DCXV0&pKs?LSJR##-7y2Py} z8N<~;hJ?OhdmKEwK5d}&Munt;`7DYca&M%6V zdfEe()u^}Zwb#e73j1;+#WV1IC2GcBbxwuk{Q8QNPx@MJ*KM>>rM#xM z-voK1BFW=LYFbX!@`uhIwX&8Ls>A*bZ)6h!vwpVg4S7FLvK?S0xxeZWDazVv%iFvu zqn6Z~mUy26n^nI@jRR}4`y&~O*c}nGHNdY|0bt`6^s_Ao^B!(=xI?Ap`9(0XM!4v5 zb|JAz8uUd*_)_(+ACA$L6&q?z!5P}V&CX%ZAbG*Mu{R_2-bg`iUmm(e7hU3@I{3RZ z-*^^!sV0!vZnW!i|EZMW-LF@*<0K>Z zU8p7s9{JD#{$fWO%_VZ55pEek#2w7s#Yz59#deLrWOxtG#gi|pCPA`-EOz@vUo69Y zptYv1Z-1&8{n~vj@gAwPjGlA49ud=q#Dr3Fy^;<}bN>=x@8aP#!89xsZJgejW-IL( z4sS_@EXZ7Iu`N|o{`$ZiaC9Lyb>-bpgl4dW_M_@OHf`$=+k#5hxluiiJpSM})vX(N zf1*-~zlsnpgcF`y_C0Sr$cZ4Py^8&QdCE$L7-Kc&w_cSs>9C<G zA}rwW&<|5mwt~LpMLynvopu4&T8%5)*SH%mz7OLKmyJ59Vk>B<{Qa;LjUE638g5vk zD?a!>VRYZiSu#whWQ?$0STS!^bL6c6Akh7Kw2Vt$tXypi&pGh7c((RLkvwO$W)UZa zv$RvpkZYWcsvZiX#4T3YEGm?I51KFaH|&O9>V%haQHQ2Y@kG1Q`;~x6afvglh7#|7 z{pyY(p0-?g;ONIC?yDGRwt~RO?B+7*ULLFe8Zogbl=oPs8W2%(_Ua8lYl8}E@k(Y> zIP+6!jGsPyr)HUXWD(knw#L$WH%x;#eF5`Ty+5|LcBXp6M6BGVSb7tp51N)YuAGd)qbf E-{&W#*Z=?k literal 0 HcmV?d00001 diff --git a/webgoat-lessons/password-reset/src/main/resources/js/password-reset-simple.js b/webgoat-lessons/password-reset/src/main/resources/js/password-reset-simple.js new file mode 100644 index 000000000..0073c693b --- /dev/null +++ b/webgoat-lessons/password-reset/src/main/resources/js/password-reset-simple.js @@ -0,0 +1,10 @@ +$(document).ready(function() { + $('#olvidado').click(function(e) { + e.preventDefault(); + $('div#form-olvidado').toggle('500'); + }); + $('#acceso').click(function(e) { + e.preventDefault(); + $('div#form-olvidado').toggle('500'); + }); +}); \ No newline at end of file diff --git a/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_host_header.adoc b/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_host_header.adoc new file mode 100644 index 000000000..46c8666ee --- /dev/null +++ b/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_host_header.adoc @@ -0,0 +1,17 @@ +== Creating the password reset link + +When creating a password reset link you need to make sure: + +- It is a unique link with a random token +- It can only be used once +- The link is only valid for one hour + +Send a link with a random token means an attacker cannot start a simple DOS attack to your website by starting to +block users. The link should not be used more then once which makes it impossible to change the password again. +The time out is necessary to restrict the attack window, having a link opens up a lot of possibilities for the attacker. + +== Assignment + +In this assignment Tom uses the password reset functionality, can you try to find a way to e-mail the password +reset link to your own inbox at user@webwolf.org. Use WebWolf to read the email and paste the token in the box +below. diff --git a/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_known_questions.adoc b/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_known_questions.adoc new file mode 100644 index 000000000..04d4690c9 --- /dev/null +++ b/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_known_questions.adoc @@ -0,0 +1,23 @@ +== Security questions + +This has been an issue and still is for a lot of websites, when you lost your password the website will ask you +for a security question which you answered during the sign up process. Most of the time this list contains a fixed +number of question and which sometimes even have a limited set of answers. In order to use this functionality +a user should be able to select a question by itself and type in the answer as well. This way users will not share +the question which makes it more difficult for an attacker. + +One important thing to remember the answers to these security question(s) should be treated with the same level of +security which is applied for storing a password in a database. If the database leaks an attacker should not be able +to perform password reset based on the answer of the security question. + +Users share so much information on social media these days it becomes difficult to use security questions for password +resets, a good resource for security questions is: http://goodsecurityquestions.com/ + +== Assignment + +Users can retrieve their password if they can answer the secret question properly. There is no lock-out mechanism on +this 'Forgot Password' page. Your username is 'webgoat' and your favorite color is 'red'. The goal is to retrieve the +password of another user. + + + diff --git a/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_password_reset_link.adoc b/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_password_reset_link.adoc new file mode 100644 index 000000000..c7ba7dd90 --- /dev/null +++ b/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_password_reset_link.adoc @@ -0,0 +1,3 @@ +== Password reset link + +Should be unique, do diff --git a/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_plan.adoc b/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_plan.adoc new file mode 100644 index 000000000..fac4211c0 --- /dev/null +++ b/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_plan.adoc @@ -0,0 +1,22 @@ += Password reset + +== Concept + +This lesson teaches about password reset functionality which most of the time is an overlooked part of the application +leading to all kind of interesting logic flaws. + +== Goals + +Teach how to securely implement password reset functionality within your application. + +== Introduction + +Each and every one of us will have used the password reset functionality on websites before. Each website implements +this functionality in a different manner. On some site you have to answer some question on other sites an e-mail +with an activation link will be send to you. In this lesson we will go through some of the most common password +reset functionalities and show where it can go wrong. + +Still there are companies which will send the password in plaintext to a user in an e-mail. For a couple of examples +you can take a look at http://plaintextoffenders.com/ Here you will find website which still send you the plaintext +password in an e-mail. Not only this should make you question the security of the site but this also mean they store +your password in plaintext! \ No newline at end of file diff --git a/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_simple.adoc b/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_simple.adoc new file mode 100644 index 000000000..c3e051b13 --- /dev/null +++ b/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_simple.adoc @@ -0,0 +1,6 @@ +== Email functionality with WebWolf + +Let's first do a simple assignment to make sure you are able to read e-mails with WebWolf, first start WebWolf (see http://) +In the reset page below send an e-mail to `username@webgoat.org` (part behind the @ is not important) +Open WebWolf and read the e-mail and login with your username and the password provided in the e-mail. + diff --git a/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_wrong_message.adoc b/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_wrong_message.adoc new file mode 100644 index 000000000..772eeb677 --- /dev/null +++ b/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_wrong_message.adoc @@ -0,0 +1,21 @@ +:half-size: width='20%' + +== Find out if account exists + +As stated before during a password reset often you will find a different message depending on whether an e-mail +address exists or not. By itself this might not look like a big deal but it can give an attacker information which +can be used in a phishing attack. If the attacker knows you have a registered account at a site, the attacker can +for example create a phishing mail and send it to the user. The user might be more tempted to click the e-mail because +the user has a valid account at the website. On the other hand for some websites this is not really important but +some website users would like some more privacy. + +The screenshots below are taken from a real website: + +image:images/reset2.png[align="top", {half-size}] +image:images/reset1.png[align="top", {half-size}] + +Below you see how Slack implemented the same two pages, no matter what e-mail address you enter the message will +be exactly the same: + +image:images/slack1.png[{half-size}] +image:images/slack2.png[{half-size}] diff --git a/webgoat-lessons/pom.xml b/webgoat-lessons/pom.xml index 63dca5f48..04ec10fda 100644 --- a/webgoat-lessons/pom.xml +++ b/webgoat-lessons/pom.xml @@ -33,6 +33,7 @@ auth-bypass missing-function-ac csrf + password-reset diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_challenge.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_challenge.adoc index 0fdb4f2d3..8a8a7ce78 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_challenge.adoc +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_challenge.adoc @@ -1,4 +1,6 @@ We now explained the basic steps involved in an SQL injection. In this assignment you will need to combine all the things we explained in the SQL lessons. +Goal: Can you login as Tom? + Have fun! \ No newline at end of file diff --git a/webgoat-server/pom.xml b/webgoat-server/pom.xml index 5bd46135d..1f44f04cd 100644 --- a/webgoat-server/pom.xml +++ b/webgoat-server/pom.xml @@ -190,6 +190,11 @@ missing-function-ac ${project.version} + + org.owasp.webgoat.lesson + password-reset + ${project.version} +