Skip to content

Commit

Permalink
Working last password assignment
Browse files Browse the repository at this point in the history
  • Loading branch information
@nbaars
nbaars committed May 26, 2018
1 parent f8a7a61 commit 6e003bc
Show file tree
Hide file tree
Showing 10 changed files with 85 additions and 93 deletions.
3 changes: 1 addition & 2 deletions webgoat-lessons/challenge/src/main/resources/i18n/WebGoatLabels.properties
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,7 @@ challenge.flag.incorrect=Sorry this is not the correct flag, please try again.

ip.address.unknown=IP address unknown, e-mail has been sent.

login_failed=Login failed
login_failed.tom=Sorry only Tom can login at the moment


required4=Missing username or password, please specify both.
user.not.larry=Please try to log in as Larry not {0}.
2 changes: 1 addition & 1 deletion webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/PasswordReset.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
import java.util.ArrayList;
import java.util.List;

public class PasswordReset extends NewLesson {
public class PasswordReset extends NewLesson {
@Override
public Category getDefaultCategory() {
return Category.AUTHENTICATION;
Expand Down
2 changes: 1 addition & 1 deletion ...plugin/questions/QuestionsAssignment.java → ...p/webgoat/plugin/QuestionsAssignment.java
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
package org.owasp.webgoat.plugin.questions;
package org.owasp.webgoat.plugin;

import org.apache.commons.lang3.StringUtils;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
Expand Down
20 changes: 10 additions & 10 deletions ...plugin/resetlink/ResetLinkAssignment.java → ...p/webgoat/plugin/ResetLinkAssignment.java
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
package org.owasp.webgoat.plugin.resetlink;
package org.owasp.webgoat.plugin;

import com.google.common.collect.EvictingQueue;
import com.google.common.collect.Maps;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.plugin.PasswordResetEmail;
import org.owasp.webgoat.plugin.resetlink.PasswordChangeForm;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
Expand All @@ -27,6 +29,7 @@
* @since 8/20/17.
*/
@AssignmentPath("/PasswordReset/reset")
@AssignmentHints({"password-reset-hint1", "password-reset-hint2", "password-reset-hint3", "password-reset-hint4", "password-reset-hint5"})
public class ResetLinkAssignment extends AssignmentEndpoint {

private static final String PASSWORD_TOM_9 = "somethingVeryRandomWhichNoOneWillEverTypeInAsPasswordForTom";
Expand All @@ -46,12 +49,10 @@ public class ResetLinkAssignment extends AssignmentEndpoint {

private final RestTemplate restTemplate;
private final String webWolfMailURL;
private final String webwolfLandingURL;

public ResetLinkAssignment(RestTemplate restTemplate, @Value("${webwolf.url.mail}") String webWolfMailURL, @Value("${webwolf.url.landingpage}") String webwolfLandingURL) {
public ResetLinkAssignment(RestTemplate restTemplate, @Value("${webwolf.url.mail}") String webWolfMailURL) {
this.restTemplate = restTemplate;
this.webWolfMailURL = webWolfMailURL;
this.webwolfLandingURL = webwolfLandingURL;
}

@RequestMapping(method = POST, value = "/create-password-reset-link")
Expand All @@ -63,7 +64,7 @@ public AttackResult sendPasswordResetLink(@RequestParam String email, HttpServle
if (org.springframework.util.StringUtils.hasText(email)) {
if (email.equals(TOM_EMAIL) && host.contains("8081")) { //User indeed changed the host header.
userToTomResetLink.put(getWebSession().getUserName(), resetLink);
fakeClickingLinkEmail(cookie, host, resetLink);
fakeClickingLinkEmail(host, resetLink);
} else {
sendMailToUser(email, host, resetLink);
}
Expand All @@ -88,7 +89,7 @@ private void sendMailToUser(@RequestParam String email, String host, String rese
* which user we need to trace the incoming request. In normal situation this HOST will be in your
* full control so every incoming request would be valid.
*/
private void fakeClickingLinkEmail(String cookie, String host, String resetLink) {
private void fakeClickingLinkEmail(String host, String resetLink) {
try {
HttpHeaders httpHeaders = new HttpHeaders();
HttpEntity httpEntity = new HttpEntity(httpHeaders);
Expand All @@ -104,12 +105,12 @@ public AttackResult login(@RequestParam String password, @RequestParam String em
if (TOM_EMAIL.equals(email)) {
String passwordTom = usersToTomPassword.getOrDefault(getWebSession().getUserName(), PASSWORD_TOM_9);
if (passwordTom.equals(PASSWORD_TOM_9)) {
return failed().feedback("login_failed").build();
return trackProgress(failed().feedback("login_failed").build());
} else if (passwordTom.equals(password)) {
return success().feedback("challenge.solved").feedbackArgs("test").build();
return trackProgress(success().build());
}
}
return failed().feedback("login_failed.tom").build();
return trackProgress(failed().feedback("login_failed.tom").build());
}

@GetMapping("/reset-password/{link}")
Expand All @@ -124,7 +125,6 @@ public String resetPassword(@PathVariable(value = "link") String link, Model mod
}
}


@PostMapping("/change-password")
public String changePassword(@ModelAttribute("form") PasswordChangeForm form, BindingResult bindingResult) {
if (!org.springframework.util.StringUtils.hasText(form.getPassword())) {
Expand Down
3 changes: 2 additions & 1 deletion ...t/plugin/simple/SimpleMailAssignment.java → .../webgoat/plugin/SimpleMailAssignment.java
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
package org.owasp.webgoat.plugin.simple;
package org.owasp.webgoat.plugin;

import org.apache.commons.lang3.StringUtils;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
Expand All @@ -24,6 +24,7 @@
* @since 8/20/17.
*/
@AssignmentPath("/PasswordReset/simple-mail")

public class SimpleMailAssignment extends AssignmentEndpoint {

private final String webWolfURL;
Expand Down
138 changes: 64 additions & 74 deletions webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -137,95 +137,85 @@ <h4 class="card-title mb-4 mt-1">WebGoat Password Recovery</h4>
<img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>

<div class="container-fluid">
<div class="row">
<div class="col-md-3">
<h4 style="border-bottom: 1px solid #c5c5c5;">
<i class="glyphicon glyphicon-user"></i>
Account Access
</h4>
<div style="padding: 20px;" id="password-login">
<form id="login-form" class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/PasswordReset/reset/login"
enctype="application/json;charset=UTF-8" role="form">
<fieldset>
<div class="form-group input-group">
<span class="input-group-addon"> @ </span>
<input class="form-control" placeholder="Email" name="email" type="email"
required="" autofocus=""/>
</div>
<div class="form-group input-group">
<form class="attack-form" accept-charset="UNKNOWN"
method="POST"
action="/WebGoat/PasswordReset/reset/login"
enctype="application/json;charset=UTF-8">
<div class="container-fluid">
<div class="row">
<div class="col-md-3">
<h4 style="border-bottom: 1px solid #c5c5c5;">
<i class="glyphicon glyphicon-user"></i>
Account Access
</h4>
<div style="padding: 20px;" id="password-login">
<form id="login-form" class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/PasswordReset/reset/login"
enctype="application/json;charset=UTF-8" role="form">
<fieldset>
<div class="form-group input-group">
<span class="input-group-addon"> @ </span>
<input class="form-control" placeholder="Email" name="email" type="email"
required="" autofocus=""/>
</div>
<div class="form-group input-group">
<span class="input-group-addon">
<i class="glyphicon glyphicon-lock">
</i>
</span>
<input class="form-control" placeholder="Password" name="password" type="password"
value="" required=""/>
</div>
<div class="form-group">
<button type="submit" class="btn btn-primary btn-block">
Access
</button>
<p class="help-block">
<a class="pull-right text-muted" href="#" onclick="showPasswordReset()">
<small>Forgot your password?</small>
</a>
</p>
</div>
</fieldset>
</form>
</div>
<div style="display: none;" id="password-reset">
<h4 class="">
Forgot your password?
</h4>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/PasswordReset/reset/create-password-reset-link"
enctype="application/json;charset=UTF-8" role="form">
<fieldset>
<input class="form-control" placeholder="Password" name="password"
type="password"
value="" required=""/>
</div>
<div class="form-group">
<button type="submit" class="btn btn-primary btn-block">
Access
</button>
<p class="help-block">
<a class="pull-right text-muted" href="#" onclick="showPasswordReset()">
<small>Forgot your password?</small>
</a>
</p>
</div>
</fieldset>
</form>
</div>
<div style="display: none;" id="password-reset">
<h4 class="">
Forgot your password?
</h4>
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
action="/WebGoat/PasswordReset/reset/create-password-reset-link"
enctype="application/json;charset=UTF-8" role="form">
<fieldset>
<span class="help-block">
Email address you use to log in to your account
<br/>
We'll send you an email with instructions to choose a new password.
</span>
<div class="form-group input-group">
<div class="form-group input-group">
<span class="input-group-addon">
@
</span>
<input class="form-control" placeholder="Email" name="email" type="email"
required=""/>
</div>
<button type="submit" class="btn btn-primary btn-block" id="btn-login">
Continue
</button>
<p class="help-block">
<a class="text-muted" href="#" onclick="showPassword()">
<small>Account Access</small>
</a>
</p>
</fieldset>
</form>
<input class="form-control" placeholder="Email" name="email" type="email"
required=""/>
</div>
<button type="submit" class="btn btn-primary btn-block" id="btn-login">
Continue
</button>
<p class="help-block">
<a class="text-muted" href="#" onclick="showPassword()">
<small>Account Access</small>
</a>
</p>
</fieldset>
</form>
</div>
</div>
</div>
</div>
</div>

<br/>
<form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag">
<div class="form-group">
<div class="input-group">
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
style="font-size:20px"></i></div>
<input type="text" class="form-control" id="flag" name="flag"
placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
</div>
<div class="input-group" style="margin-top: 10px">
<button type="submit" class="btn btn-primary">Submit flag</button>
</div>
</div>

</form>

<br/>
Expand Down
4 changes: 3 additions & 1 deletion webgoat-lessons/password-reset/src/main/resources/i18n/WebGoatLabels.properties
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,4 +16,6 @@ password-reset-hint1=Try to send a password reset link to your own account at {u
password-reset-hint2=Look at the link, can you think how the server creates this link?
password-reset-hint3=Tom clicks all the links he receives in his mailbox, you can use the landing page in WebWolf to get the reset link...
password-reset-hint4=The link points to localhost:8080/PasswordReset/.... can you change the host to localhost:8081
password-reset-hint5=Intercept the request and change the host header
password-reset-hint5=Intercept the request and change the host header
login_failed=Login failed
login_failed.tom=Sorry only Tom can login at the moment
2 changes: 1 addition & 1 deletion ...password-reset/src/main/resources/lessonPlans/en/PasswordReset_host_header.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,5 +14,5 @@ The time out is necessary to restrict the attack window, having a link opens up

Tom always resets his password immediately after receiving the email with the link.
Try to reset the password of Tom ([email protected]) to your own choice and login as Tom with
that password. If you did submit is in the e-mail address and submit again.
that password.

2 changes: 1 addition & 1 deletion ...essons/webwolf-introduction/src/main/java/org/owasp/webgoat/plugin/LandingAssignment.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@
@AssignmentPath("/WebWolf/landing")
public class LandingAssignment extends AssignmentEndpoint {

@Value("${webworf.url.landingpage}")
@Value("${webwolf.url.landingpage}")
private String landingPageUrl;

@PostMapping
Expand Down
2 changes: 1 addition & 1 deletion webwolf/src/main/java/org/owasp/webwolf/requests/WebWolfTraceRepository.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@
public class WebWolfTraceRepository implements TraceRepository {

private final EvictingQueue<Trace> traces = EvictingQueue.create(10000);
private List<String> exclusionList = Lists.newArrayList("/WebWolf/mail","/WebWolf/files", "/login", "/favicon.ico", "/js/", "/webjars/", "/WebWolf/requests", "/css/");
private List<String> exclusionList = Lists.newArrayList("/WebWolf/home", "/WebWolf/mail","/WebWolf/files", "/images/", "/login", "/favicon.ico", "/js/", "/webjars/", "/WebWolf/requests", "/css/", "/mail");

@Override
public List<Trace> findAll() {
Expand Down

0 comments on commit 6e003bc

Please sign in to comment.