Initial commit for password reset lesson
This commit is contained in:
Nanne Baars
@ -0,0 +1,134 @@
|
||||
<!DOCTYPE html>
|
||||
|
||||
<html xmlns:th="http://www.thymeleaf.org">
|
||||
|
||||
<div class="lesson-page-wrapper">
|
||||
<div class="adoc-content" th:replace="doc:PasswordReset_plan.adoc"></div>
|
||||
</div>
|
||||
<div class="lesson-page-wrapper">
|
||||
<div class="adoc-content" th:replace="doc:PasswordReset_simple.adoc"></div>
|
||||
|
||||
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/password.css}"/>
|
||||
<script th:src="@{/lesson_js/bootstrap.min.js}" language="JavaScript"></script>
|
||||
<script th:src="@{/lesson_js/password-reset-simple.js}" language="JavaScript"></script>
|
||||
<div class="attack-container">
|
||||
<img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST"
|
||||
action="/WebGoat/PasswordReset/simple-mail"
|
||||
enctype="application/json;charset=UTF-8">
|
||||
<div class="container-fluid">
|
||||
|
||||
<div class="row">
|
||||
|
||||
<div class="col-md-2">
|
||||
<h4 style="border-bottom: 1px solid #c5c5c5;"><i class="glyphicon glyphicon-user"></i> Account
|
||||
Access</h4>
|
||||
<div style="padding: 20px;" id="form-olvidado">
|
||||
<fieldset>
|
||||
<div class="form-group input-group">
|
||||
<span class="input-group-addon">@</span>
|
||||
<input class="form-control" placeholder="Email" name="email" type="email"
|
||||
autofocus=""></input>
|
||||
</div>
|
||||
<div class="form-group input-group">
|
||||
<span class="input-group-addon"><i class="glyphicon glyphicon-lock"></i></span>
|
||||
<input class="form-control" placeholder="Password" name="password"
|
||||
type="password" value=""/>
|
||||
</div>
|
||||
<div class="form-group">
|
||||
<button type="submit" class="btn btn-primary btn-block">
|
||||
Access
|
||||
</button>
|
||||
<p class="help-block">
|
||||
<a class="pull-right text-muted" href="#" id="olvidado">
|
||||
<small>Forgot your password?</small>
|
||||
</a>
|
||||
</p>
|
||||
</div>
|
||||
</fieldset>
|
||||
|
||||
</div>
|
||||
<div style="display: none;" id="form-olvidado">
|
||||
<h4 class="">Forgot your password?</h4>
|
||||
|
||||
<fieldset>
|
||||
<span class="help-block">Please type your e-mail address</span>
|
||||
<div class="form-group input-group">
|
||||
<span class="input-group-addon">@</span>
|
||||
<input class="form-control" placeholder="test1233@webgoat.org" name="emailReset"
|
||||
type="email"/>
|
||||
</div>
|
||||
<button type="submit" class="btn btn-primary btn-block" id="btn-olvidado">Continue
|
||||
</button>
|
||||
<p class="help-block">
|
||||
<a class="text-muted" href="#" id="acceso">
|
||||
<small>Account Access</small>
|
||||
</a>
|
||||
</p>
|
||||
</fieldset>
|
||||
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</form>
|
||||
<br/>
|
||||
|
||||
<br/>
|
||||
<div class="attack-feedback"></div>
|
||||
<div class="attack-output"></div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div class="lesson-page-wrapper">
|
||||
<div class="adoc-content" th:replace="doc:PasswordReset_wrong_message.adoc"></div>
|
||||
</div>
|
||||
|
||||
<div class="lesson-page-wrapper">
|
||||
<div class="adoc-content" th:replace="doc:PasswordReset_known_questions.adoc"></div>
|
||||
|
||||
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/password.css}"/>
|
||||
<script th:src="@{/lesson_js/bootstrap.min.js}" language="JavaScript"></script>
|
||||
<script th:src="@{/lesson_js/password-reset-simple.js}" language="JavaScript"></script>
|
||||
<div class="attack-container">
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST"
|
||||
action="/WebGoat/PasswordReset/questions"
|
||||
enctype="application/json;charset=UTF-8">
|
||||
<div class="container-fluid">
|
||||
<div class="col-md-2">
|
||||
<article class="card-body">
|
||||
<a href="" class="float-right btn btn-outline-primary">Sign up</a>
|
||||
<a href="" class="float-right btn btn-outline-primary">Login</a>
|
||||
<h4 class="card-title mb-4 mt-1">WebGoat Password Recovery</h4>
|
||||
<form>
|
||||
<div class="form-group">
|
||||
<label>Your username</label>
|
||||
<input name="username" class="form-control" placeholder="Username" type="text"/>
|
||||
</div>
|
||||
<div class="form-group">
|
||||
<label>What is your favorite color?</label>
|
||||
<input class="form-control" placeholder="Answer security question" type="text" name="securityQuestion"/>
|
||||
</div>
|
||||
<div class="form-group">
|
||||
<button type="submit" class="btn btn-primary btn-block"> Submit</button>
|
||||
</div>
|
||||
</form>
|
||||
</article>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
</form>
|
||||
<br/>
|
||||
|
||||
<br/>
|
||||
<div class="attack-feedback"></div>
|
||||
<div class="attack-output"></div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
|
||||
</html>
|
||||
@ -0,0 +1,9 @@
|
||||
password-reset.title=Password reset
|
||||
|
||||
password-reset-simple.email_send=An email has been send to {0} please check your inbox.
|
||||
password-reset-simple.password_incorrect=Not the correct password please try again.
|
||||
password-reset-simple.email_failed=There was an error while sending the e-mail. Is WebWolf running?
|
||||
password-reset-simple.email_mismatch=Of course you can send mail to user {0} however you will not be able to read this e-mail in WebWolf, please use your own username.
|
||||
|
||||
password-questions-wrong-user=You need to find a different user you are logging in with 'webgoat'.
|
||||
password-questions-unknown-user=User {0} is not a valid user.
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 23 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 20 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 24 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 24 KiB |
@ -0,0 +1,10 @@
|
||||
$(document).ready(function() {
|
||||
$('#olvidado').click(function(e) {
|
||||
e.preventDefault();
|
||||
$('div#form-olvidado').toggle('500');
|
||||
});
|
||||
$('#acceso').click(function(e) {
|
||||
e.preventDefault();
|
||||
$('div#form-olvidado').toggle('500');
|
||||
});
|
||||
});
|
||||
@ -0,0 +1,17 @@
|
||||
== Creating the password reset link
|
||||
|
||||
When creating a password reset link you need to make sure:
|
||||
|
||||
- It is a unique link with a random token
|
||||
- It can only be used once
|
||||
- The link is only valid for one hour
|
||||
|
||||
Send a link with a random token means an attacker cannot start a simple DOS attack to your website by starting to
|
||||
block users. The link should not be used more then once which makes it impossible to change the password again.
|
||||
The time out is necessary to restrict the attack window, having a link opens up a lot of possibilities for the attacker.
|
||||
|
||||
== Assignment
|
||||
|
||||
In this assignment Tom uses the password reset functionality, can you try to find a way to e-mail the password
|
||||
reset link to your own inbox at user@webwolf.org. Use WebWolf to read the email and paste the token in the box
|
||||
below.
|
||||
@ -0,0 +1,23 @@
|
||||
== Security questions
|
||||
|
||||
This has been an issue and still is for a lot of websites, when you lost your password the website will ask you
|
||||
for a security question which you answered during the sign up process. Most of the time this list contains a fixed
|
||||
number of question and which sometimes even have a limited set of answers. In order to use this functionality
|
||||
a user should be able to select a question by itself and type in the answer as well. This way users will not share
|
||||
the question which makes it more difficult for an attacker.
|
||||
|
||||
One important thing to remember the answers to these security question(s) should be treated with the same level of
|
||||
security which is applied for storing a password in a database. If the database leaks an attacker should not be able
|
||||
to perform password reset based on the answer of the security question.
|
||||
|
||||
Users share so much information on social media these days it becomes difficult to use security questions for password
|
||||
resets, a good resource for security questions is: http://goodsecurityquestions.com/
|
||||
|
||||
== Assignment
|
||||
|
||||
Users can retrieve their password if they can answer the secret question properly. There is no lock-out mechanism on
|
||||
this 'Forgot Password' page. Your username is 'webgoat' and your favorite color is 'red'. The goal is to retrieve the
|
||||
password of another user.
|
||||
|
||||
|
||||
|
||||
@ -0,0 +1,3 @@
|
||||
== Password reset link
|
||||
|
||||
Should be unique, do
|
||||
@ -0,0 +1,22 @@
|
||||
= Password reset
|
||||
|
||||
== Concept
|
||||
|
||||
This lesson teaches about password reset functionality which most of the time is an overlooked part of the application
|
||||
leading to all kind of interesting logic flaws.
|
||||
|
||||
== Goals
|
||||
|
||||
Teach how to securely implement password reset functionality within your application.
|
||||
|
||||
== Introduction
|
||||
|
||||
Each and every one of us will have used the password reset functionality on websites before. Each website implements
|
||||
this functionality in a different manner. On some site you have to answer some question on other sites an e-mail
|
||||
with an activation link will be send to you. In this lesson we will go through some of the most common password
|
||||
reset functionalities and show where it can go wrong.
|
||||
|
||||
Still there are companies which will send the password in plaintext to a user in an e-mail. For a couple of examples
|
||||
you can take a look at http://plaintextoffenders.com/ Here you will find website which still send you the plaintext
|
||||
password in an e-mail. Not only this should make you question the security of the site but this also mean they store
|
||||
your password in plaintext!
|
||||
@ -0,0 +1,6 @@
|
||||
== Email functionality with WebWolf
|
||||
|
||||
Let's first do a simple assignment to make sure you are able to read e-mails with WebWolf, first start WebWolf (see http://)
|
||||
In the reset page below send an e-mail to `username@webgoat.org` (part behind the @ is not important)
|
||||
Open WebWolf and read the e-mail and login with your username and the password provided in the e-mail.
|
||||
|
||||
@ -0,0 +1,21 @@
|
||||
:half-size: width='20%'
|
||||
|
||||
== Find out if account exists
|
||||
|
||||
As stated before during a password reset often you will find a different message depending on whether an e-mail
|
||||
address exists or not. By itself this might not look like a big deal but it can give an attacker information which
|
||||
can be used in a phishing attack. If the attacker knows you have a registered account at a site, the attacker can
|
||||
for example create a phishing mail and send it to the user. The user might be more tempted to click the e-mail because
|
||||
the user has a valid account at the website. On the other hand for some websites this is not really important but
|
||||
some website users would like some more privacy.
|
||||
|
||||
The screenshots below are taken from a real website:
|
||||
|
||||
image:images/reset2.png[align="top", {half-size}]
|
||||
image:images/reset1.png[align="top", {half-size}]
|
||||
|
||||
Below you see how Slack implemented the same two pages, no matter what e-mail address you enter the message will
|
||||
be exactly the same:
|
||||
|
||||
image:images/slack1.png[{half-size}]
|
||||
image:images/slack2.png[{half-size}]
|
||||
Reference in New Issue
Block a user