Initial commit for password reset lesson

webgoat-lessons/http-proxies/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java

@@ -48,7 +48,7 @@ public class HttpBasicsInterceptRequest extends AssignmentEndpoint {
 
 	@RequestMapping(method = RequestMethod.GET)
 	public @ResponseBody
-	AttackResult completed(HttpServletRequest request) throws IOException {
+	AttackResult completed(HttpServletRequest request) {
 		String header = null;
 		String param = null;
 		if (request != null && (header = request.getHeader("x-request-intercepted")) != null

webgoat-lessons/password-reset/pom.xml

@@ -0,0 +1,21 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <artifactId>password-reset</artifactId>
+    <packaging>jar</packaging>
+    <parent>
+        <groupId>org.owasp.webgoat.lesson</groupId>
+        <artifactId>webgoat-lessons-parent</artifactId>
+        <version>v8.0.0.M14</version>
+    </parent>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-test</artifactId>
+            <version>4.1.3.RELEASE</version>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+
+</project>

webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/PasswordReset.java

@@ -0,0 +1,34 @@
+package org.owasp.webgoat.plugin;
+
+import org.owasp.webgoat.lessons.Category;
+import org.owasp.webgoat.lessons.NewLesson;
+
+import java.util.ArrayList;
+import java.util.List;
+
+public class PasswordReset  extends NewLesson {
+    @Override
+    public Category getDefaultCategory() {
+        return Category.AUTHENTICATION;
+    }
+
+    @Override
+    public List<String> getHints() {
+        return new ArrayList();
+    }
+
+    @Override
+    public Integer getDefaultRanking() {
+        return 10;
+    }
+
+    @Override
+    public String getTitle() {
+        return "password-reset.title";
+    }
+
+    @Override
+    public String getId() {
+        return "PasswordReset";
+    }
+}

webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/PasswordResetEmail.java

@@ -0,0 +1,18 @@
+package org.owasp.webgoat.plugin;
+
+import lombok.Builder;
+import lombok.Data;
+
+import java.io.Serializable;
+import java.time.LocalDateTime;
+
+@Builder
+@Data
+public class PasswordResetEmail implements Serializable {
+
+    private LocalDateTime time;
+    private String contents;
+    private String sender;
+    private String title;
+    private String recipient;
+}

webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/questions/QuestionsAssignment.java

@@ -0,0 +1,55 @@
+package org.owasp.webgoat.plugin.questions;
+
+import org.apache.commons.lang3.StringUtils;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.plugin.PasswordResetEmail;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.http.MediaType;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.client.RestClientException;
+import org.springframework.web.client.RestTemplate;
+
+import java.time.LocalDateTime;
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * @author nbaars
+ * @since 8/20/17.
+ */
+@AssignmentPath("/PasswordReset/questions")
+public class QuestionsAssignment extends AssignmentEndpoint {
+
+    private final static Map<String, String> COLORS = new HashMap<>();
+
+    static {
+        COLORS.put("admin", "green");
+        COLORS.put("jerry", "orange");
+        COLORS.put("tom", "purple");
+        COLORS.put("larry", "yellow");
+        COLORS.put("webgoat", "red");
+    }
+
+    @PostMapping(consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE)
+    @ResponseBody
+    public AttackResult passwordReset(@RequestParam Map<String, Object> json) {
+        String securityQuestion = (String) json.getOrDefault("securityQuestion", "");
+        String username = (String) json.getOrDefault("username", "");
+
+        if ("webgoat".equalsIgnoreCase(username.toLowerCase())) {
+            return trackProgress(failed().feedback("password-questions-wrong-user").build());
+        }
+
+        String validAnswer = COLORS.get(username.toLowerCase());
+        if (validAnswer == null) {
+            return trackProgress(failed().feedback("password-questions-unknown-user").feedbackArgs(username).build());
+        } else if (validAnswer.equals(securityQuestion)) {
+            return trackProgress(success().build());
+        }
+        return trackProgress(failed().build());
+    }
+}

webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/simple/SimpleMailAssignment.java

@@ -0,0 +1,82 @@
+package org.owasp.webgoat.plugin.simple;
+
+import org.apache.commons.lang3.StringUtils;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.plugin.PasswordResetEmail;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.http.MediaType;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.client.RestClientException;
+import org.springframework.web.client.RestTemplate;
+
+import java.time.LocalDateTime;
+import java.util.Map;
+import java.util.Optional;
+
+import static java.util.Optional.ofNullable;
+
+/**
+ * @author nbaars
+ * @since 8/20/17.
+ */
+@AssignmentPath("/PasswordReset/simple-mail")
+public class SimpleMailAssignment extends AssignmentEndpoint {
+
+    private final String webWolfURL;
+    private RestTemplate restTemplate;
+
+    public SimpleMailAssignment(RestTemplate restTemplate, @Value("${webwolf.url.mail}") String webWolfURL) {
+        this.restTemplate = restTemplate;
+        this.webWolfURL = webWolfURL;
+    }
+
+    @PostMapping(consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE)
+    @ResponseBody
+    public AttackResult sendEmail(@RequestParam Map<String, Object> json) {
+        String email = (String) json.get("emailReset");
+        if (StringUtils.isEmpty(email)) {
+            email = (String) json.getOrDefault("email", "[email protected]");
+        }
+        String password = (String) json.getOrDefault("password", "");
+        int index = email.indexOf("@");
+        String username = email.substring(0, index == -1 ? email.length() : index);
+
+        if (StringUtils.isEmpty(password)) {
+            return sendEmail(username, email);
+        } else {
+            return checkPassword(password, username);
+        }
+    }
+
+    private AttackResult checkPassword(String password, String username) {
+        if (username.equals(getWebSession().getUserName()) && StringUtils.reverse(username).equals(password)) {
+            return trackProgress(success().build());
+        } else {
+            return trackProgress(failed().feedbackArgs("password-reset-simple.password_incorrect").build());
+        }
+    }
+
+    private AttackResult sendEmail(String username, String email) {
+        if (username.equals(getWebSession().getUserName())) {
+            PasswordResetEmail mailEvent = PasswordResetEmail.builder()
+                    .recipient(username)
+                    .title("Simple e-mail assignment")
+                    .time(LocalDateTime.now())
+                    .contents("Thanks your resetting your password, your new password is: " + StringUtils.reverse(username))
+                    .sender("[email protected]")
+                    .build();
+            try {
+                restTemplate.postForEntity(webWolfURL, mailEvent, Object.class);
+            } catch (RestClientException e) {
+                return informationMessage().feedback("password-reset-simple.email_failed").output(e.getMessage()).build();
+            }
+            return informationMessage().feedback("password-reset-simple.email_send").feedbackArgs(email).build();
+        } else {
+            return informationMessage().feedback("password-reset-simple.email_mismatch").feedbackArgs(username).build();
+        }
+    }
+}

webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html

@@ -0,0 +1,134 @@
+<!DOCTYPE html>
+
+<html xmlns:th="http://www.thymeleaf.org">
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:PasswordReset_plan.adoc"></div>
+</div>
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:PasswordReset_simple.adoc"></div>
+
+    <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/password.css}"/>
+    <script th:src="@{/lesson_js/bootstrap.min.js}" language="JavaScript"></script>
+    <script th:src="@{/lesson_js/password-reset-simple.js}" language="JavaScript"></script>
+    <div class="attack-container">
+        <img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
+        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+        <form class="attack-form" accept-charset="UNKNOWN"
+              method="POST"
+              action="/WebGoat/PasswordReset/simple-mail"
+              enctype="application/json;charset=UTF-8">
+            <div class="container-fluid">
+
+                <div class="row">
+
+                    <div class="col-md-2">
+                        <h4 style="border-bottom: 1px solid #c5c5c5;"><i class="glyphicon glyphicon-user"></i> Account
+                            Access</h4>
+                        <div style="padding: 20px;" id="form-olvidado">
+                            <fieldset>
+                                <div class="form-group input-group">
+                                    <span class="input-group-addon">@</span>
+                                    <input class="form-control" placeholder="Email" name="email" type="email"
+                                           autofocus=""></input>
+                                </div>
+                                <div class="form-group input-group">
+                                    <span class="input-group-addon"><i class="glyphicon glyphicon-lock"></i></span>
+                                    <input class="form-control" placeholder="Password" name="password"
+                                           type="password" value=""/>
+                                </div>
+                                <div class="form-group">
+                                    <button type="submit" class="btn btn-primary btn-block">
+                                        Access
+                                    </button>
+                                    <p class="help-block">
+                                        <a class="pull-right text-muted" href="#" id="olvidado">
+                                            <small>Forgot your password?</small>
+                                        </a>
+                                    </p>
+                                </div>
+                            </fieldset>
+
+                        </div>
+                        <div style="display: none;" id="form-olvidado">
+                            <h4 class="">Forgot your password?</h4>
+
+                            <fieldset>
+                                <span class="help-block">Please type your e-mail address</span>
+                                <div class="form-group input-group">
+                                    <span class="input-group-addon">@</span>
+                                    <input class="form-control" placeholder="[email protected]" name="emailReset"
+                                           type="email"/>
+                                </div>
+                                <button type="submit" class="btn btn-primary btn-block" id="btn-olvidado">Continue
+                                </button>
+                                <p class="help-block">
+                                    <a class="text-muted" href="#" id="acceso">
+                                        <small>Account Access</small>
+                                    </a>
+                                </p>
+                            </fieldset>
+
+                        </div>
+                    </div>
+                </div>
+            </div>
+        </form>
+        <br/>
+
+        <br/>
+        <div class="attack-feedback"></div>
+        <div class="attack-output"></div>
+    </div>
+</div>
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:PasswordReset_wrong_message.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:PasswordReset_known_questions.adoc"></div>
+
+    <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/password.css}"/>
+    <script th:src="@{/lesson_js/bootstrap.min.js}" language="JavaScript"></script>
+    <script th:src="@{/lesson_js/password-reset-simple.js}" language="JavaScript"></script>
+    <div class="attack-container">
+        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+        <form class="attack-form" accept-charset="UNKNOWN"
+              method="POST"
+              action="/WebGoat/PasswordReset/questions"
+              enctype="application/json;charset=UTF-8">
+            <div class="container-fluid">
+                <div class="col-md-2">
+                    <article class="card-body">
+                        <a href="" class="float-right btn btn-outline-primary">Sign up</a>
+                        <a href="" class="float-right btn btn-outline-primary">Login</a>
+                        <h4 class="card-title mb-4 mt-1">WebGoat Password Recovery</h4>
+                        <form>
+                            <div class="form-group">
+                                <label>Your username</label>
+                                <input name="username" class="form-control" placeholder="Username" type="text"/>
+                            </div>
+                            <div class="form-group">
+                                <label>What is your favorite color?</label>
+                                <input class="form-control" placeholder="Answer security question" type="text" name="securityQuestion"/>
+                            </div>
+                            <div class="form-group">
+                                <button type="submit" class="btn btn-primary btn-block"> Submit</button>
+                            </div>
+                        </form>
+                    </article>
+                </div>
+            </div>
+
+        </form>
+        <br/>
+
+        <br/>
+        <div class="attack-feedback"></div>
+        <div class="attack-output"></div>
+    </div>
+</div>
+
+
+</html>

webgoat-lessons/password-reset/src/main/resources/i18n/WebGoatLabels.properties

@@ -0,0 +1,9 @@
+password-reset.title=Password reset
+
+password-reset-simple.email_send=An email has been send to {0} please check your inbox.
+password-reset-simple.password_incorrect=Not the correct password please try again.
+password-reset-simple.email_failed=There was an error while sending the e-mail. Is WebWolf running?
+password-reset-simple.email_mismatch=Of course you can send mail to user {0} however you will not be able to read this e-mail in WebWolf, please use your own username.
+
+password-questions-wrong-user=You need to find a different user you are logging in with 'webgoat'.
+password-questions-unknown-user=User {0} is not a valid user.

webgoat-lessons/password-reset/src/main/resources/js/password-reset-simple.js

@@ -0,0 +1,10 @@
+$(document).ready(function() {
+    $('#olvidado').click(function(e) {
+        e.preventDefault();
+        $('div#form-olvidado').toggle('500');
+    });
+    $('#acceso').click(function(e) {
+        e.preventDefault();
+        $('div#form-olvidado').toggle('500');
+    });
+});