submittedQuestions ) {
+ //short circuit if no questions are submitted
+ if (submittedQuestions.entrySet().size() != secQuestionStore.get(verifyUserId).size()) {
+ return false;
+ }
+
+ if (submittedQuestions.containsKey("secQuestion0") && !submittedQuestions.get("secQuestion0").equals(secQuestionStore.get(verifyUserId).get("secQuestion0"))) {
+ return false;
+ }
+
+ if (submittedQuestions.containsKey("secQuestion1") && !submittedQuestions.get("seQuestion1").equals(secQuestionStore.get(verifyUserId).get("secQuestion1"))) {
+ return false;
+ }
+
+ // else
+ return true;
+
+ }
+}
diff --git a/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/AuthBypass.java b/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/AuthBypass.java
new file mode 100644
index 0000000000..3588303c41
--- /dev/null
+++ b/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/AuthBypass.java
@@ -0,0 +1,65 @@
+package org.owasp.webgoat.plugin;
+
+import com.beust.jcommander.internal.Lists;
+import org.owasp.webgoat.lessons.Category;
+import org.owasp.webgoat.lessons.NewLesson;
+
+import java.util.List;
+
+/**
+ * ************************************************************************************************
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ *
+ *
+ * @author misfir3
+ * @version $Id: $Id
+ * @since January 3, 2017
+ */
+public class AuthBypass extends NewLesson {
+
+ @Override
+ public Category getDefaultCategory() {
+ return Category.AUTHENTICATION;
+ }
+
+ @Override
+ public List getHints() {
+ return Lists.newArrayList();
+ }
+
+ @Override
+ public Integer getDefaultRanking() {
+ return 30;
+ }
+
+ @Override
+ public String getTitle() {
+ return "auth-bypass.title";
+ }
+
+ @Override
+ public String getId() {
+ return "AuthBypass";
+ }
+
+}
diff --git a/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/VerifyAccount.java b/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/VerifyAccount.java
new file mode 100644
index 0000000000..2fc04c5bff
--- /dev/null
+++ b/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/VerifyAccount.java
@@ -0,0 +1,80 @@
+package org.owasp.webgoat.plugin;
+
+import com.google.common.collect.Lists;
+import org.jcodings.util.Hash;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.session.UserSessionData;
+import org.owasp.webgoat.session.WebSession;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.web.bind.annotation.*;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+
+import java.util.Map;
+
+/**
+ * Created by jason on 1/5/17.
+ */
+
+@AssignmentPath("/auth-bypass/verify-account")
+@AssignmentHints({"auth-bypass.hints.verify.1", "auth-bypass.hints.verify.2", "auth-bypass.hints.verify.3", "auth-bypass.hints.verify.4"})
+public class VerifyAccount extends AssignmentEndpoint {
+
+ @Autowired
+ private WebSession webSession;
+
+ @Autowired
+ UserSessionData userSessionData;
+
+ @PostMapping(produces = {"application/json"})
+ @ResponseBody
+ public AttackResult completed(@RequestParam String userId, @RequestParam String verifyMethod, HttpServletRequest req) throws ServletException, IOException {
+
+
+ AccountVerificationHelper verificationHelper = new AccountVerificationHelper();
+ Map submittedAnswers = parseSecQuestions(req);
+ if (verificationHelper.didUserLikelylCheat((HashMap)submittedAnswers)) {
+ return trackProgress(failed()
+ .feedback("verify-account.cheated")
+ .output("Yes, you guessed correcctly,but see the feedback message")
+ .build());
+ }
+
+ // else
+ if (verificationHelper.verifyAccount(new Integer(userId),(HashMap)submittedAnswers)) {
+ userSessionData.setValue("account-verified-id", userId);
+ return trackProgress(success()
+ .feedback("verify-account.success")
+ .build());
+ } else {
+ return trackProgress(failed()
+ .feedback("verify-account.failed")
+ .build());
+ }
+
+ }
+
+ private HashMap parseSecQuestions (HttpServletRequest req) {
+
+ Map userAnswers = new HashMap<>();
+ List paramNames = Collections.list(req.getParameterNames());
+ for (String paramName : paramNames) {
+ //String paramName = req.getParameterNames().nextElement();
+ if (paramName.contains("secQuestion")) {
+ userAnswers.put(paramName,req.getParameter(paramName));
+ }
+ }
+ return (HashMap)userAnswers;
+
+ }
+
+}
diff --git a/webgoat-lessons/auth-bypass/src/main/resources/.DS_Store b/webgoat-lessons/auth-bypass/src/main/resources/.DS_Store
new file mode 100644
index 0000000000..6efa04a20a
Binary files /dev/null and b/webgoat-lessons/auth-bypass/src/main/resources/.DS_Store differ
diff --git a/webgoat-lessons/auth-bypass/src/main/resources/html/.DS_Store b/webgoat-lessons/auth-bypass/src/main/resources/html/.DS_Store
new file mode 100644
index 0000000000..5008ddfcf5
Binary files /dev/null and b/webgoat-lessons/auth-bypass/src/main/resources/html/.DS_Store differ
diff --git a/webgoat-lessons/auth-bypass/src/main/resources/html/AuthBypass.html b/webgoat-lessons/auth-bypass/src/main/resources/html/AuthBypass.html
new file mode 100644
index 0000000000..88a7c908b5
--- /dev/null
+++ b/webgoat-lessons/auth-bypass/src/main/resources/html/AuthBypass.html
@@ -0,0 +1,88 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/webgoat-lessons/auth-bypass/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/auth-bypass/src/main/resources/i18n/WebGoatLabels.properties
new file mode 100644
index 0000000000..31c590b3b1
--- /dev/null
+++ b/webgoat-lessons/auth-bypass/src/main/resources/i18n/WebGoatLabels.properties
@@ -0,0 +1,11 @@
+auth-bypass.title=Authentication Bypasses
+
+verify-account.cheated=It appears you may be using source code to cheat.While that's always helpful when hacking. Please try again.
+verify-account.failed=Not quite, please try again.
+verify-account.success=Congrats, you have successfully verified the account without actually verifying it. You can now change your password!
+
+auth-bypass.hints.verify.1=The attack on this is similar to the story referenced, but not exactly the same.
+auth-bypass.hints.verify.2=You do want to tamper the security question parameters, but not delete them
+auth-bypass.hints.verify.3=The logic to verify the account does expect 2 security questions to be answered, but there is a flaw in the implementation
+auth-bypass.hints.verify.4=Have you tried renaming the secQuestion0 and secQuestion1 parameters?
+
diff --git a/webgoat-lessons/auth-bypass/src/main/resources/images/firefox-proxy-config.png b/webgoat-lessons/auth-bypass/src/main/resources/images/firefox-proxy-config.png
new file mode 100644
index 0000000000..0ea3bbe067
Binary files /dev/null and b/webgoat-lessons/auth-bypass/src/main/resources/images/firefox-proxy-config.png differ
diff --git a/webgoat-lessons/auth-bypass/src/main/resources/images/paypal-2fa-bypass.png b/webgoat-lessons/auth-bypass/src/main/resources/images/paypal-2fa-bypass.png
new file mode 100644
index 0000000000..a84d87e4f8
Binary files /dev/null and b/webgoat-lessons/auth-bypass/src/main/resources/images/paypal-2fa-bypass.png differ
diff --git a/webgoat-lessons/auth-bypass/src/main/resources/js/bypass.js b/webgoat-lessons/auth-bypass/src/main/resources/js/bypass.js
new file mode 100644
index 0000000000..acbc268992
--- /dev/null
+++ b/webgoat-lessons/auth-bypass/src/main/resources/js/bypass.js
@@ -0,0 +1,15 @@
+// need custom js for this?
+
+webgoat.customjs.onBypassResponse = function(data) {
+ webgoat.customjs.jquery('#verify-account-form').hide();
+ webgoat.customjs.jquery('#change-password-form').show();
+}
+
+var onViewProfile = function () {
+ console.warn("on view profile activated")
+ webgoat.customjs.jquery.ajax({
+ method: "GET",
+ url: "/WebGoat/IDOR/profile",
+ contentType: 'application/json; charset=UTF-8'
+ }).then(webgoat.customjs.idorViewProfile);
+}
diff --git a/webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/2fa-bypass.adoc b/webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/2fa-bypass.adoc
new file mode 100644
index 0000000000..fe4f8fd921
--- /dev/null
+++ b/webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/2fa-bypass.adoc
@@ -0,0 +1,15 @@
+
+== 2FA Password Reset
+
+A recent (2016) example (https://henryhoggard.co.uk/blog/Paypal-2FA-Bypass) is a great example of authentication bypass. He was unable to receive an SMS with a code, so he opted for the provided
+alternative method, which involved security questions. Using a proxy, removed the parameters entirely ... and won.
+
+image::images/paypal-2fa-bypass.png[Paypal 2FA bypass,1397,645,style="lesson-image"]
+
+
+=== The Scenario
+
+You are resetting your password, but doing it from a location or device that your provider does not recognize. So you need to answer the security questions you set up. The other issue is
+that those security questions are also stored on another device (not with you) and you don't remember them.
+
+You have already provided your username/email and opted for the alternative verification method.
\ No newline at end of file
diff --git a/webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/bypass-intro.adoc b/webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/bypass-intro.adoc
new file mode 100644
index 0000000000..a18bce132c
--- /dev/null
+++ b/webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/bypass-intro.adoc
@@ -0,0 +1,15 @@
+== Authentication Bpasses
+
+Authentication Bypasses happen in many ways, but usually take advantage of some flaw in the configuration or logic. Tampering to achieve the right conditions.
+
+=== Hidden inputs
+
+The simplest form is a reliance on a hidden input that is in the web page/DOM.
+
+=== Removing Parameters
+
+Sometimes, if an attacker doesn't know the correct value of a parameter, they may remove the parameter from the submission altogether to see what happens.
+
+=== Forced Browsing
+
+If an area of a site is not protected properly by configuation, that area of the site may be accessed by guessing/brute-forcing.
\ No newline at end of file
diff --git a/webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/lesson-template-video.adoc b/webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/lesson-template-video.adoc
new file mode 100644
index 0000000000..83831886ff
--- /dev/null
+++ b/webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/lesson-template-video.adoc
@@ -0,0 +1,7 @@
+=== More Content, Video too ...
+
+You can structure and format the content however you like. You can even include video if you like (but may be subject to browser support). You may want to make it more pertinent to web application security than this though.
+
+video::video/sample-video.m4v[width=480,start=5]
+
+see http://asciidoctor.org/docs/asciidoc-syntax-quick-reference/#videos for more detail on video syntax
\ No newline at end of file
diff --git a/webgoat-lessons/auth-bypass/src/main/resources/video/sample-video.m4v b/webgoat-lessons/auth-bypass/src/main/resources/video/sample-video.m4v
new file mode 100644
index 0000000000..ff801f48be
Binary files /dev/null and b/webgoat-lessons/auth-bypass/src/main/resources/video/sample-video.m4v differ
diff --git a/webgoat-lessons/auth-bypass/src/test/org/owasp/webgoat/plugin/BypassVerificationTest.java b/webgoat-lessons/auth-bypass/src/test/org/owasp/webgoat/plugin/BypassVerificationTest.java
new file mode 100644
index 0000000000..ddd0cc1da0
--- /dev/null
+++ b/webgoat-lessons/auth-bypass/src/test/org/owasp/webgoat/plugin/BypassVerificationTest.java
@@ -0,0 +1,86 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2017 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ *
+ */
+
+package org.owasp.webgoat.plugin;
+
+import org.hamcrest.CoreMatchers;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.owasp.webgoat.assignments.AssignmentEndpointTest;
+import org.springframework.boot.test.context.TestComponent;
+import org.springframework.http.MediaType;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.ResultActions;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+
+
+import static org.mockito.Mockito.when;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
+
+@RunWith(MockitoJUnitRunner.class)
+public class BypassVerificationTest extends AssignmentEndpointTest {
+
+ private MockMvc mockMvc;
+
+ @Before
+ public void setup() {
+ VerifyAccount verifyAccount = new VerifyAccount();
+ init(verifyAccount);
+ this.mockMvc = standaloneSetup(verifyAccount).build();
+ }
+
+ @Test
+ public void placeHolder() {
+ assert (true);
+ }
+
+//TODO: Finish tests below ... getting null on injected/mocked userSession for some reason (in AssignmentEndpoint:58 even though it it mocked via AssignmentEncpointTest and works in other tests)
+// @Test
+// public void testCheatingDetection() throws Exception {
+// ResultActions results = mockMvc.perform(MockMvcRequestBuilders.post("/auth-bypass/verify-account")
+// .param("secQuestion0","Dr. Watson")
+// .param("secQuestion1","Baker Street")
+// .param("verifyMethod","SEC_QUESTIONS")
+// .param("userId","1223445"));
+//
+// results.andExpect(status().isOk())
+// .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("verify-account.cheated"))));
+// }
+
+// @Test
+// public void success() {
+//
+// }
+
+// @Test
+// public void failure() {
+//
+// }
+
+}
diff --git a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/plugin/JWT.java b/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/plugin/JWT.java
index 928ff6557f..b9018358f1 100644
--- a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/plugin/JWT.java
+++ b/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/plugin/JWT.java
@@ -24,7 +24,7 @@ public List getHints() {
@Override
public Integer getDefaultRanking() {
- return null;
+ return 40;
}
@Override
diff --git a/webgoat-lessons/pom.xml b/webgoat-lessons/pom.xml
index 5137709b19..9c9dbc2800 100644
--- a/webgoat-lessons/pom.xml
+++ b/webgoat-lessons/pom.xml
@@ -27,6 +27,7 @@
xxe
idor
vulnerable-components
+ auth-bypass
diff --git a/webgoat-lessons/xxe/src/main/resources/html/XXE.html b/webgoat-lessons/xxe/src/main/resources/html/XXE.html
index 7b0d74867c..e469255524 100644
--- a/webgoat-lessons/xxe/src/main/resources/html/XXE.html
+++ b/webgoat-lessons/xxe/src/main/resources/html/XXE.html
@@ -25,7 +25,7 @@