Initial commit for password reset lesson
This commit is contained in:
Nanne Baars
@ -0,0 +1,17 @@
|
||||
== Creating the password reset link
|
||||
|
||||
When creating a password reset link you need to make sure:
|
||||
|
||||
- It is a unique link with a random token
|
||||
- It can only be used once
|
||||
- The link is only valid for one hour
|
||||
|
||||
Send a link with a random token means an attacker cannot start a simple DOS attack to your website by starting to
|
||||
block users. The link should not be used more then once which makes it impossible to change the password again.
|
||||
The time out is necessary to restrict the attack window, having a link opens up a lot of possibilities for the attacker.
|
||||
|
||||
== Assignment
|
||||
|
||||
In this assignment Tom uses the password reset functionality, can you try to find a way to e-mail the password
|
||||
reset link to your own inbox at user@webwolf.org. Use WebWolf to read the email and paste the token in the box
|
||||
below.
|
||||
@ -0,0 +1,23 @@
|
||||
== Security questions
|
||||
|
||||
This has been an issue and still is for a lot of websites, when you lost your password the website will ask you
|
||||
for a security question which you answered during the sign up process. Most of the time this list contains a fixed
|
||||
number of question and which sometimes even have a limited set of answers. In order to use this functionality
|
||||
a user should be able to select a question by itself and type in the answer as well. This way users will not share
|
||||
the question which makes it more difficult for an attacker.
|
||||
|
||||
One important thing to remember the answers to these security question(s) should be treated with the same level of
|
||||
security which is applied for storing a password in a database. If the database leaks an attacker should not be able
|
||||
to perform password reset based on the answer of the security question.
|
||||
|
||||
Users share so much information on social media these days it becomes difficult to use security questions for password
|
||||
resets, a good resource for security questions is: http://goodsecurityquestions.com/
|
||||
|
||||
== Assignment
|
||||
|
||||
Users can retrieve their password if they can answer the secret question properly. There is no lock-out mechanism on
|
||||
this 'Forgot Password' page. Your username is 'webgoat' and your favorite color is 'red'. The goal is to retrieve the
|
||||
password of another user.
|
||||
|
||||
|
||||
|
||||
@ -0,0 +1,3 @@
|
||||
== Password reset link
|
||||
|
||||
Should be unique, do
|
||||
@ -0,0 +1,22 @@
|
||||
= Password reset
|
||||
|
||||
== Concept
|
||||
|
||||
This lesson teaches about password reset functionality which most of the time is an overlooked part of the application
|
||||
leading to all kind of interesting logic flaws.
|
||||
|
||||
== Goals
|
||||
|
||||
Teach how to securely implement password reset functionality within your application.
|
||||
|
||||
== Introduction
|
||||
|
||||
Each and every one of us will have used the password reset functionality on websites before. Each website implements
|
||||
this functionality in a different manner. On some site you have to answer some question on other sites an e-mail
|
||||
with an activation link will be send to you. In this lesson we will go through some of the most common password
|
||||
reset functionalities and show where it can go wrong.
|
||||
|
||||
Still there are companies which will send the password in plaintext to a user in an e-mail. For a couple of examples
|
||||
you can take a look at http://plaintextoffenders.com/ Here you will find website which still send you the plaintext
|
||||
password in an e-mail. Not only this should make you question the security of the site but this also mean they store
|
||||
your password in plaintext!
|
||||
@ -0,0 +1,6 @@
|
||||
== Email functionality with WebWolf
|
||||
|
||||
Let's first do a simple assignment to make sure you are able to read e-mails with WebWolf, first start WebWolf (see http://)
|
||||
In the reset page below send an e-mail to `username@webgoat.org` (part behind the @ is not important)
|
||||
Open WebWolf and read the e-mail and login with your username and the password provided in the e-mail.
|
||||
|
||||
@ -0,0 +1,21 @@
|
||||
:half-size: width='20%'
|
||||
|
||||
== Find out if account exists
|
||||
|
||||
As stated before during a password reset often you will find a different message depending on whether an e-mail
|
||||
address exists or not. By itself this might not look like a big deal but it can give an attacker information which
|
||||
can be used in a phishing attack. If the attacker knows you have a registered account at a site, the attacker can
|
||||
for example create a phishing mail and send it to the user. The user might be more tempted to click the e-mail because
|
||||
the user has a valid account at the website. On the other hand for some websites this is not really important but
|
||||
some website users would like some more privacy.
|
||||
|
||||
The screenshots below are taken from a real website:
|
||||
|
||||
image:images/reset2.png[align="top", {half-size}]
|
||||
image:images/reset1.png[align="top", {half-size}]
|
||||
|
||||
Below you see how Slack implemented the same two pages, no matter what e-mail address you enter the message will
|
||||
be exactly the same:
|
||||
|
||||
image:images/slack1.png[{half-size}]
|
||||
image:images/slack2.png[{half-size}]
|
||||
Reference in New Issue
Block a user