-
-
Notifications
You must be signed in to change notification settings - Fork 5.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
28 changed files
with
487 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> | ||
<modelVersion>4.0.0</modelVersion> | ||
<artifactId>auth-bypass</artifactId> | ||
<packaging>jar</packaging> | ||
<parent> | ||
<groupId>org.owasp.webgoat.lesson</groupId> | ||
<artifactId>webgoat-lessons-parent</artifactId> | ||
<version>8.0-SNAPSHOT</version> | ||
</parent> | ||
|
||
</project> |
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
69 changes: 69 additions & 0 deletions
69
...lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/AccountVerificationHelper.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
package org.owasp.webgoat.plugin; | ||
|
||
import org.jcodings.util.Hash; | ||
import org.owasp.webgoat.session.UserSessionData; | ||
import org.springframework.beans.factory.annotation.Autowired; | ||
|
||
import java.util.HashMap; | ||
import java.util.Map; | ||
|
||
/** | ||
* Created by appsec on 7/18/17. | ||
*/ | ||
public class AccountVerificationHelper { | ||
|
||
|
||
|
||
//simulating database storage of verification credentials | ||
private static final Integer verifyUserId = new Integer(1223445); | ||
private static final Map<String,String> userSecQuestions = new HashMap<>(); | ||
static { | ||
userSecQuestions.put("secQuestion0","Dr. Watson"); | ||
userSecQuestions.put("secQuestion1","Baker Street"); | ||
} | ||
|
||
private static final Map<Integer,Map> secQuestionStore = new HashMap<>(); | ||
static { | ||
secQuestionStore.put(verifyUserId,userSecQuestions); | ||
} | ||
// end 'data store set up' | ||
|
||
// this is to aid feedback in the attack process and is not intended to be part of the 'vulnerable' code | ||
public boolean didUserLikelylCheat(HashMap<String,String> submittedAnswers) { | ||
boolean likely = false; | ||
|
||
if (submittedAnswers.size() == secQuestionStore.get(verifyUserId).size()) { | ||
likely = true; | ||
} | ||
|
||
if ((submittedAnswers.containsKey("secQuestion0") && submittedAnswers.get("secQuestion0").equals(secQuestionStore.get(verifyUserId).get("secQuestion0"))) && | ||
(submittedAnswers.containsKey("secQuestion1") && submittedAnswers.get("secQuestion1").equals(secQuestionStore.get(verifyUserId).get("secQuestion1"))) ) { | ||
likely = true; | ||
} else { | ||
likely = false; | ||
} | ||
|
||
return likely; | ||
|
||
} | ||
//end of cheating check ... the method below is the one of real interest. Can you find the flaw? | ||
|
||
public boolean verifyAccount(Integer userId, HashMap<String,String> submittedQuestions ) { | ||
//short circuit if no questions are submitted | ||
if (submittedQuestions.entrySet().size() != secQuestionStore.get(verifyUserId).size()) { | ||
return false; | ||
} | ||
|
||
if (submittedQuestions.containsKey("secQuestion0") && !submittedQuestions.get("secQuestion0").equals(secQuestionStore.get(verifyUserId).get("secQuestion0"))) { | ||
return false; | ||
} | ||
|
||
if (submittedQuestions.containsKey("secQuestion1") && !submittedQuestions.get("seQuestion1").equals(secQuestionStore.get(verifyUserId).get("secQuestion1"))) { | ||
return false; | ||
} | ||
|
||
// else | ||
return true; | ||
|
||
} | ||
} |
65 changes: 65 additions & 0 deletions
65
webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/AuthBypass.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,65 @@ | ||
package org.owasp.webgoat.plugin; | ||
|
||
import com.beust.jcommander.internal.Lists; | ||
import org.owasp.webgoat.lessons.Category; | ||
import org.owasp.webgoat.lessons.NewLesson; | ||
|
||
import java.util.List; | ||
|
||
/** | ||
* ************************************************************************************************ | ||
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, | ||
* please see http://www.owasp.org/ | ||
* <p> | ||
* Copyright (c) 2002 - 20014 Bruce Mayhew | ||
* <p> | ||
* This program is free software; you can redistribute it and/or modify it under the terms of the | ||
* GNU General Public License as published by the Free Software Foundation; either version 2 of the | ||
* License, or (at your option) any later version. | ||
* <p> | ||
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without | ||
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
* General Public License for more details. | ||
* <p> | ||
* You should have received a copy of the GNU General Public License along with this program; if | ||
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA | ||
* 02111-1307, USA. | ||
* <p> | ||
* Getting Source ============== | ||
* <p> | ||
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software | ||
* projects. | ||
* <p> | ||
* | ||
* @author misfir3 | ||
* @version $Id: $Id | ||
* @since January 3, 2017 | ||
*/ | ||
public class AuthBypass extends NewLesson { | ||
|
||
@Override | ||
public Category getDefaultCategory() { | ||
return Category.AUTHENTICATION; | ||
} | ||
|
||
@Override | ||
public List<String> getHints() { | ||
return Lists.newArrayList(); | ||
} | ||
|
||
@Override | ||
public Integer getDefaultRanking() { | ||
return 30; | ||
} | ||
|
||
@Override | ||
public String getTitle() { | ||
return "auth-bypass.title"; | ||
} | ||
|
||
@Override | ||
public String getId() { | ||
return "AuthBypass"; | ||
} | ||
|
||
} |
80 changes: 80 additions & 0 deletions
80
webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/VerifyAccount.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,80 @@ | ||
package org.owasp.webgoat.plugin; | ||
|
||
import com.google.common.collect.Lists; | ||
import org.jcodings.util.Hash; | ||
import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||
import org.owasp.webgoat.assignments.AssignmentHints; | ||
import org.owasp.webgoat.assignments.AssignmentPath; | ||
import org.owasp.webgoat.assignments.AttackResult; | ||
import org.owasp.webgoat.session.UserSessionData; | ||
import org.owasp.webgoat.session.WebSession; | ||
import org.springframework.beans.factory.annotation.Autowired; | ||
import org.springframework.web.bind.annotation.*; | ||
|
||
import javax.servlet.ServletException; | ||
import javax.servlet.http.HttpServletRequest; | ||
import javax.servlet.http.HttpServletResponse; | ||
import java.io.IOException; | ||
import java.util.Collections; | ||
import java.util.HashMap; | ||
import java.util.List; | ||
|
||
import java.util.Map; | ||
|
||
/** | ||
* Created by jason on 1/5/17. | ||
*/ | ||
|
||
@AssignmentPath("/auth-bypass/verify-account") | ||
@AssignmentHints({"auth-bypass.hints.verify.1", "auth-bypass.hints.verify.2", "auth-bypass.hints.verify.3", "auth-bypass.hints.verify.4"}) | ||
public class VerifyAccount extends AssignmentEndpoint { | ||
|
||
@Autowired | ||
private WebSession webSession; | ||
|
||
@Autowired | ||
UserSessionData userSessionData; | ||
|
||
@PostMapping(produces = {"application/json"}) | ||
@ResponseBody | ||
public AttackResult completed(@RequestParam String userId, @RequestParam String verifyMethod, HttpServletRequest req) throws ServletException, IOException { | ||
|
||
|
||
AccountVerificationHelper verificationHelper = new AccountVerificationHelper(); | ||
Map<String,String> submittedAnswers = parseSecQuestions(req); | ||
if (verificationHelper.didUserLikelylCheat((HashMap)submittedAnswers)) { | ||
return trackProgress(failed() | ||
.feedback("verify-account.cheated") | ||
.output("Yes, you guessed correcctly,but see the feedback message") | ||
.build()); | ||
} | ||
|
||
// else | ||
if (verificationHelper.verifyAccount(new Integer(userId),(HashMap)submittedAnswers)) { | ||
userSessionData.setValue("account-verified-id", userId); | ||
return trackProgress(success() | ||
.feedback("verify-account.success") | ||
.build()); | ||
} else { | ||
return trackProgress(failed() | ||
.feedback("verify-account.failed") | ||
.build()); | ||
} | ||
|
||
} | ||
|
||
private HashMap<String,String> parseSecQuestions (HttpServletRequest req) { | ||
|
||
Map <String,String> userAnswers = new HashMap<>(); | ||
List<String> paramNames = Collections.list(req.getParameterNames()); | ||
for (String paramName : paramNames) { | ||
//String paramName = req.getParameterNames().nextElement(); | ||
if (paramName.contains("secQuestion")) { | ||
userAnswers.put(paramName,req.getParameter(paramName)); | ||
} | ||
} | ||
return (HashMap)userAnswers; | ||
|
||
} | ||
|
||
} |
Binary file not shown.
Binary file not shown.
88 changes: 88 additions & 0 deletions
88
webgoat-lessons/auth-bypass/src/main/resources/html/AuthBypass.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,88 @@ | ||
<html xmlns:th="http://www.thymeleaf.org"> | ||
|
||
<div class="lesson-page-wrapper"> | ||
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> | ||
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, | ||
which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> | ||
<div class="adoc-content" th:replace="doc:bypass-intro.adoc"></div> | ||
</div> | ||
|
||
<div class="lesson-page-wrapper"> | ||
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> | ||
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, | ||
which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> | ||
<div class="adoc-content" th:replace="doc:2fa-bypass.adoc"></div> | ||
<div class="attack-container"> | ||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> | ||
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat --> | ||
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework --> | ||
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like --> | ||
|
||
<!-- modify the action to point to the intended endpoint and set other attributes as desired --> | ||
<script th:src="@{/lesson_js/bypass.js}" /> | ||
<form class="attack-form" accept-charset="UNKNOWN" id="verify-account-form" | ||
method="POST" name="form" | ||
successCallback="onBypassResponse" | ||
action="/WebGoat/auth-bypass/verify-account" | ||
enctype="application/json;charset=UTF-8"> | ||
<p>Verify Your Account by answering the questions below:</p> | ||
|
||
<p>What is the name of your favorite teacher?</p> | ||
<input name="secQuestion0" value="" type="TEXT" /><br/> | ||
|
||
<p>What is the name of the street you grew up on?</p> | ||
<input name="secQuestion1" value="" type="TEXT" /><br/><br /> | ||
|
||
<input type="hidden" name="jsEnabled" value="1" /> | ||
<input type="hidden" name="verifyMethod" value="SEC_QUESTIONS" /> | ||
<input type="hidden" name="userId" value="12309746" /> | ||
|
||
<input name="submit" value="Submit" type="submit"/> | ||
|
||
</form> | ||
|
||
<form class="attack-form" accept-charset="UNKNOWN" id="change-password-form" | ||
method="POST" name="form" | ||
successCallback="onBypassResponse" | ||
action="/WebGoat/auth-bypass/verify-account" | ||
enctype="application/json;charset=UTF-8" | ||
style="display:none"><!-- start off hidden --> | ||
<p>Please provide a new password for your account</p> | ||
|
||
<p>Password:</p> | ||
<input name="newPassword" value="" type="password" /><br/> | ||
|
||
<p>Confirm Password:</p> | ||
<input name="newPasswordConfirm" value="" type="password" /><br/><br /> | ||
|
||
<input type="hidden" name="userId" value="12309746" /> | ||
|
||
<input name="submit" value="Submit" type="submit"/> | ||
|
||
</form> | ||
|
||
<!-- do not remove the two following div's, this is where your feedback/output will land --> | ||
<!-- the attack response will include a 'feedback' and that will automatically go here --> | ||
<div class="attack-feedback"></div> | ||
<!-- output is intended to be a simulation of what the screen would display in an attack --> | ||
<div class="attack-output"></div> | ||
</div> | ||
|
||
</div> | ||
|
||
<!--<div class="lesson-page-wrapper">--> | ||
<!-- reuse the above lesson-page-wrapper block for each 'page' of content in your lesson --> | ||
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, | ||
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> | ||
<!--<div class="adoc-content" th:replace="doc:lesson-template-video.adoc"></div>--> | ||
<!-- can use multiple adoc's in a page-wrapper if you want ... or not--> | ||
<!--<div class="adoc-content" th:replace="doc:lesson-template-attack.adoc"></div>--> | ||
|
||
<!-- WebGoat will automatically style and scaffold some functionality by using the div.attack-container as below --> | ||
|
||
<!--</div>--> | ||
|
||
<!-- repeat and mix-and-match the lesson-page-wrappers with or wihtout the attack-containers as you like ... | ||
see other lessons for other more complex examples --> | ||
|
||
</html> |
11 changes: 11 additions & 0 deletions
11
webgoat-lessons/auth-bypass/src/main/resources/i18n/WebGoatLabels.properties
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
auth-bypass.title=Authentication Bypasses | ||
|
||
verify-account.cheated=It appears you may be using source code to cheat.While that's always helpful when hacking. Please try again. | ||
verify-account.failed=Not quite, please try again. | ||
verify-account.success=Congrats, you have successfully verified the account without actually verifying it. You can now change your password! | ||
auth-bypass.hints.verify.1=The attack on this is similar to the story referenced, but not exactly the same. | ||
auth-bypass.hints.verify.2=You do want to tamper the security question parameters, but not delete them | ||
auth-bypass.hints.verify.3=The logic to verify the account does expect 2 security questions to be answered, but there is a flaw in the implementation | ||
auth-bypass.hints.verify.4=Have you tried renaming the secQuestion0 and secQuestion1 parameters? | ||
Binary file added
BIN
+200 KB
webgoat-lessons/auth-bypass/src/main/resources/images/firefox-proxy-config.png
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+125 KB
webgoat-lessons/auth-bypass/src/main/resources/images/paypal-2fa-bypass.png
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
15 changes: 15 additions & 0 deletions
15
webgoat-lessons/auth-bypass/src/main/resources/js/bypass.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
// need custom js for this? | ||
|
||
webgoat.customjs.onBypassResponse = function(data) { | ||
webgoat.customjs.jquery('#verify-account-form').hide(); | ||
webgoat.customjs.jquery('#change-password-form').show(); | ||
} | ||
|
||
var onViewProfile = function () { | ||
console.warn("on view profile activated") | ||
webgoat.customjs.jquery.ajax({ | ||
method: "GET", | ||
url: "/WebGoat/IDOR/profile", | ||
contentType: 'application/json; charset=UTF-8' | ||
}).then(webgoat.customjs.idorViewProfile); | ||
} |
Oops, something went wrong.