Auth bypass

webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js

@@ -91,6 +91,7 @@ define(['jquery',
             this.curForm = curForm;
             this.$curFeedback = $(curForm).closest('.attack-container').find('.attack-feedback');
             this.$curOutput = $(curForm).closest('.attack-container').find('.attack-output');
+
             var formUrl = $(curForm).attr('action');
             var formMethod = $(curForm).attr('method');
             var contentType = ($(curForm).attr('contentType')) ? $(curForm).attr('contentType') : 'application/x-www-form-urlencoded; charset=UTF-8';
@@ -100,23 +101,30 @@ define(['jquery',
                 method:formMethod,
                 contentType:contentType,
                 data: submitData,
-                complete: function (data) {
-                    callbackFunction();
-                }
+                //complete: function (data) {
+                    //callbackFunction(data);
+                //}
             }).then(self.onSuccessResponse.bind(self), self.onErrorResponse.bind(self));
             return false;
          },
 
         onSuccessResponse: function(data) {
             this.renderFeedback(data.feedback);
             this.renderOutput(data.output || "");
+
+            var successCallBackFunctionName = this.$form.attr('successCallback');
+            var failureCallbackFunctionName = this.$form.attr('failureCallback');
+            //var submitData = (typeof webgoat.customjs[prepareDataFunctionName] === 'function') ? webgoat.customjs[prepareDataFunctionName]() : $(curForm).serialize();
+            successCallbackFunction = (typeof webgoat.customjs[successCallBackFunctionName] === 'function') ? webgoat.customjs[successCallBackFunctionName] : function() {};
+            failureCallbackFunction = (typeof webgoat.customjs[failureCallbackFunctionName] === 'function') ? webgoat.customjs[failureCallbackFunctionName] : function() {};
             //TODO: refactor back assignmentCompleted in Java
             if (data.lessonCompleted || data.assignmentCompleted) {
-
                 this.markAssignmentComplete();
+                successCallbackFunction(data); //data is likely not useful, except maybe the output ...
                 this.trigger('assignment:complete');
             } else {
-                this.markAssignmentIncomplete();
+                this.markAssignmentIncomplete(data); //again, data might be useful, especially the output
+                failureCallbackFunction();
             }
             return false;
         },

webgoat-lessons/auth-bypass/pom.xml

@@ -0,0 +1,12 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <artifactId>auth-bypass</artifactId>
+    <packaging>jar</packaging>
+    <parent>
+        <groupId>org.owasp.webgoat.lesson</groupId>
+        <artifactId>webgoat-lessons-parent</artifactId>
+        <version>8.0-SNAPSHOT</version>
+    </parent>
+
+</project>

webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/AccountVerificationHelper.java

@@ -0,0 +1,69 @@
+package org.owasp.webgoat.plugin;
+
+import org.jcodings.util.Hash;
+import org.owasp.webgoat.session.UserSessionData;
+import org.springframework.beans.factory.annotation.Autowired;
+
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * Created by appsec on 7/18/17.
+ */
+public class AccountVerificationHelper {
+
+
+
+    //simulating database storage of verification credentials
+    private  static final Integer verifyUserId = new Integer(1223445);
+    private static final Map<String,String> userSecQuestions = new HashMap<>();
+    static {
+        userSecQuestions.put("secQuestion0","Dr. Watson");
+        userSecQuestions.put("secQuestion1","Baker Street");
+    }
+
+    private static final Map<Integer,Map> secQuestionStore = new HashMap<>();
+    static {
+        secQuestionStore.put(verifyUserId,userSecQuestions);
+    }
+    // end 'data store set up'
+
+    // this is to aid feedback in the attack process and is not intended to be part of the 'vulnerable' code
+    public boolean didUserLikelylCheat(HashMap<String,String> submittedAnswers) {
+        boolean likely = false;
+
+        if (submittedAnswers.size() == secQuestionStore.get(verifyUserId).size()) {
+            likely = true;
+        }
+
+        if ((submittedAnswers.containsKey("secQuestion0") && submittedAnswers.get("secQuestion0").equals(secQuestionStore.get(verifyUserId).get("secQuestion0"))) &&
+                (submittedAnswers.containsKey("secQuestion1") && submittedAnswers.get("secQuestion1").equals(secQuestionStore.get(verifyUserId).get("secQuestion1"))) ) {
+            likely = true;
+        } else {
+            likely = false;
+        }
+
+        return likely;
+
+    }
+    //end of cheating check ... the method below is the one of real interest. Can you find the flaw?
+
+    public boolean verifyAccount(Integer userId, HashMap<String,String> submittedQuestions ) {
+        //short circuit if no questions are submitted
+        if (submittedQuestions.entrySet().size() != secQuestionStore.get(verifyUserId).size()) {
+            return false;
+        }
+
+        if (submittedQuestions.containsKey("secQuestion0") && !submittedQuestions.get("secQuestion0").equals(secQuestionStore.get(verifyUserId).get("secQuestion0"))) {
+            return false;
+        }
+
+        if (submittedQuestions.containsKey("secQuestion1") && !submittedQuestions.get("seQuestion1").equals(secQuestionStore.get(verifyUserId).get("secQuestion1"))) {
+            return false;
+        }
+
+        // else
+        return true;
+
+    }
+}

webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/AuthBypass.java

@@ -0,0 +1,65 @@
+package org.owasp.webgoat.plugin;
+
+import com.beust.jcommander.internal.Lists;
+import org.owasp.webgoat.lessons.Category;
+import org.owasp.webgoat.lessons.NewLesson;
+
+import java.util.List;
+
+/**
+ * ************************************************************************************************
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * <p>
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * <p>
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * <p>
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * <p>
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * <p>
+ * Getting Source ==============
+ * <p>
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ * <p>
+ *
+ * @author misfir3
+ * @version $Id: $Id
+ * @since January 3, 2017
+ */
+public class AuthBypass extends NewLesson {
+
+    @Override
+    public Category getDefaultCategory() {
+        return Category.AUTHENTICATION;
+    }
+
+    @Override
+    public List<String> getHints() {
+        return Lists.newArrayList();
+    }
+
+    @Override
+    public Integer getDefaultRanking() {
+        return 30;
+    }
+
+    @Override
+    public String getTitle() {
+        return "auth-bypass.title";
+    }
+
+    @Override
+    public String getId() {
+        return "AuthBypass";
+    }
+
+}

webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/VerifyAccount.java

@@ -0,0 +1,80 @@
+package org.owasp.webgoat.plugin;
+
+import com.google.common.collect.Lists;
+import org.jcodings.util.Hash;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.session.UserSessionData;
+import org.owasp.webgoat.session.WebSession;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.web.bind.annotation.*;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+
+import java.util.Map;
+
+/**
+ * Created by jason on 1/5/17.
+ */
+
+@AssignmentPath("/auth-bypass/verify-account")
+@AssignmentHints({"auth-bypass.hints.verify.1", "auth-bypass.hints.verify.2", "auth-bypass.hints.verify.3", "auth-bypass.hints.verify.4"})
+public class VerifyAccount extends AssignmentEndpoint {
+
+    @Autowired
+    private WebSession webSession;
+
+    @Autowired
+    UserSessionData userSessionData;
+
+    @PostMapping(produces = {"application/json"})
+    @ResponseBody
+    public AttackResult completed(@RequestParam String userId, @RequestParam String verifyMethod, HttpServletRequest req) throws ServletException, IOException {
+
+
+        AccountVerificationHelper verificationHelper = new AccountVerificationHelper();
+        Map<String,String> submittedAnswers = parseSecQuestions(req);
+        if (verificationHelper.didUserLikelylCheat((HashMap)submittedAnswers)) {
+            return trackProgress(failed()
+            .feedback("verify-account.cheated")
+            .output("Yes, you guessed correcctly,but see the feedback message")
+            .build());
+        }
+
+        // else
+        if (verificationHelper.verifyAccount(new Integer(userId),(HashMap)submittedAnswers)) {
+            userSessionData.setValue("account-verified-id", userId);
+            return trackProgress(success()
+            .feedback("verify-account.success")
+            .build());
+        } else {
+            return trackProgress(failed()
+            .feedback("verify-account.failed")
+            .build());
+        }
+
+    }
+
+    private HashMap<String,String> parseSecQuestions (HttpServletRequest req) {
+
+        Map <String,String> userAnswers = new HashMap<>();
+        List<String> paramNames = Collections.list(req.getParameterNames());
+        for  (String paramName : paramNames) {
+            //String paramName = req.getParameterNames().nextElement();
+            if (paramName.contains("secQuestion")) {
+                userAnswers.put(paramName,req.getParameter(paramName));
+            }
+        }
+        return (HashMap)userAnswers;
+
+    }
+
+}

webgoat-lessons/auth-bypass/src/main/resources/html/AuthBypass.html

@@ -0,0 +1,88 @@
+<html xmlns:th="http://www.thymeleaf.org">
+
+    <div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+        <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+        which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+        <div class="adoc-content" th:replace="doc:bypass-intro.adoc"></div>
+    </div>
+
+    <div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+        <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+        which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+        <div class="adoc-content" th:replace="doc:2fa-bypass.adoc"></div>
+        <div class="attack-container">
+            <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+            <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
+            <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
+            <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
+
+            <!-- modify the action to point to the intended endpoint and set other attributes as desired -->
+            <script th:src="@{/lesson_js/bypass.js}" />
+            <form class="attack-form" accept-charset="UNKNOWN" id="verify-account-form"
+                  method="POST" name="form"
+                  successCallback="onBypassResponse"
+                  action="/WebGoat/auth-bypass/verify-account"
+                  enctype="application/json;charset=UTF-8">
+                <p>Verify Your Account by answering the questions below:</p>
+
+                <p>What is the name of your favorite teacher?</p>
+                <input name="secQuestion0" value="" type="TEXT" /><br/>
+
+                <p>What is the name of the street you grew up on?</p>
+                <input name="secQuestion1" value="" type="TEXT" /><br/><br />
+
+                <input type="hidden" name="jsEnabled" value="1" />
+                <input type="hidden" name="verifyMethod" value="SEC_QUESTIONS" />
+                <input type="hidden" name="userId" value="12309746" />
+
+                <input name="submit" value="Submit" type="submit"/>
+
+            </form>
+
+            <form class="attack-form" accept-charset="UNKNOWN" id="change-password-form"
+                  method="POST" name="form"
+                  successCallback="onBypassResponse"
+                  action="/WebGoat/auth-bypass/verify-account"
+                  enctype="application/json;charset=UTF-8"
+                  style="display:none"><!-- start off hidden -->
+                <p>Please provide a new password for your account</p>
+
+                <p>Password:</p>
+                <input name="newPassword" value="" type="password" /><br/>
+
+                <p>Confirm Password:</p>
+                <input name="newPasswordConfirm" value="" type="password" /><br/><br />
+
+                <input type="hidden" name="userId" value="12309746" />
+
+                <input name="submit" value="Submit" type="submit"/>
+
+            </form>
+
+            <!-- do not remove the two following div's, this is where your feedback/output will land -->
+            <!-- the attack response will include a 'feedback' and that will automatically go here -->
+            <div class="attack-feedback"></div>
+            <!-- output is intended to be a simulation of what the screen would display in an attack -->
+            <div class="attack-output"></div>
+        </div>
+
+    </div>
+
+    <!--<div class="lesson-page-wrapper">-->
+        <!-- reuse the above lesson-page-wrapper block for each 'page' of content in your lesson -->
+        <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+        <!--<div class="adoc-content" th:replace="doc:lesson-template-video.adoc"></div>-->
+        <!-- can use multiple adoc's in a page-wrapper if you want ... or not-->
+        <!--<div class="adoc-content" th:replace="doc:lesson-template-attack.adoc"></div>-->
+
+        <!-- WebGoat will automatically style and scaffold some functionality by using the div.attack-container as below -->
+
+    <!--</div>-->
+
+    <!-- repeat and mix-and-match the lesson-page-wrappers with or wihtout the attack-containers as you like ...
+        see other lessons for other more complex examples -->
+
+</html>

webgoat-lessons/auth-bypass/src/main/resources/i18n/WebGoatLabels.properties

@@ -0,0 +1,11 @@
+auth-bypass.title=Authentication Bypasses
+
+verify-account.cheated=It appears you may be using source code to cheat.While that's always helpful when hacking. Please try again.
+verify-account.failed=Not quite, please try again.
+verify-account.success=Congrats, you have successfully verified the account without actually verifying it. You can now change your password!
+
+auth-bypass.hints.verify.1=The attack on this is similar to the story referenced, but not exactly the same.
+auth-bypass.hints.verify.2=You do want to tamper the  security  question parameters, but not delete them
+auth-bypass.hints.verify.3=The logic to verify the account does expect 2 security questions to be answered, but there is a flaw in the implementation
+auth-bypass.hints.verify.4=Have you tried renaming the secQuestion0 and secQuestion1 parameters?
+

webgoat-lessons/auth-bypass/src/main/resources/js/bypass.js

@@ -0,0 +1,15 @@
+// need custom js for this?
+
+webgoat.customjs.onBypassResponse = function(data) {
+    webgoat.customjs.jquery('#verify-account-form').hide();
+    webgoat.customjs.jquery('#change-password-form').show();
+}
+
+var onViewProfile = function () {
+    console.warn("on view profile activated")
+    webgoat.customjs.jquery.ajax({
+        method: "GET",
+        url: "/WebGoat/IDOR/profile",
+        contentType: 'application/json; charset=UTF-8'
+     }).then(webgoat.customjs.idorViewProfile);
+}