Merge pull request #11 from WebGoat/WEB-139

Web 139

Author: dcowden

src/main/java/org/owasp/webgoat/lessons/PasswordStrength.java

@@ -1,8 +1,14 @@
 
 package org.owasp.webgoat.lessons;
 
-import java.util.ArrayList;
+import java.util.ArrayList; 
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
+import java.util.TreeMap;
+import java.util.Map.Entry;
+
+import org.apache.commons.collections.CollectionUtils;
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.StringElement;
@@ -15,6 +21,7 @@
 import org.apache.ecs.html.TR;
 import org.apache.ecs.html.Table;
 import org.owasp.webgoat.session.ECSFactory;
+import org.owasp.webgoat.session.ParameterNotFoundException;
 import org.owasp.webgoat.session.WebSession;
 
 
@@ -52,6 +59,38 @@
 
 public class PasswordStrength extends LessonAdapter
 {
+    private Map<String, Password> passwords = new TreeMap<String, Password>() {{
+        put("pass1", new Password("123456", "seconds", "0", "dictionary based, in top 10 most used passwords"));
+        put("pass2", new Password("abzfezd", "seconds", "2", "26 chars on 7 positions, 8 billion possible combinations"));
+        put("pass3", new Password("a9z1ezd", "seconds", "19", "26 + 10 chars on 7 positions = 78 billion possible combinations"));
+        put("pass4", new Password("aB8fEzDq", "hours", "15", "26 + 26 + 10 chars on 8 positions = 218 trillion possible combinations"));
+        put("pass5", new Password("z8!E?7D$", "days", "20", "96 chars on 8 positions = 66 quintillion possible combinations"));
+        put("pass6", new Password("My1stPassword!:Redd", "quintillion years", "364", "96 chars on 19 positions = 46 undecillion possible combinations"));
+    }};
+    
+    private class Password {
+        
+        String password;
+        String timeUnit;
+        String answer;
+        private String explanation;
+        
+        public Password(String password, String timeUnit, String answer, String explanation) {
+            this.password = password;
+            this.timeUnit = timeUnit;
+            this.answer = answer;
+            this.explanation = explanation;
+        }
+    }
+    
+    private boolean checkSolution(WebSession s) throws ParameterNotFoundException {
+        boolean allCorrect = true;
+        for ( int i = 1; i <= passwords.size(); i++ ) {
+            String key = "pass" + i;
+            allCorrect = allCorrect && s.getParser().getStringParameter(key, "").equals(passwords.get(key).answer);
+        }
+        return allCorrect;
+    }
 
     /**
      * Description of the Method
@@ -66,87 +105,39 @@ protected Element createContent(WebSession s)
 
         try
         {
-            if (s.getParser().getStringParameter("pass1", "").equals("0")
-                    && s.getParser().getStringParameter("pass2", "").equals("1394")
-                    && s.getParser().getStringParameter("pass3", "").equals("5")
-                    && s.getParser().getStringParameter("pass4", "").equals("2")
-                    && s.getParser().getStringParameter("pass5", "").equals("41"))
+            if (checkSolution(s))
             {
                 makeSuccess(s);
+                ec.addElement(new BR());
                 ec.addElement(new StringElement("As a guideline not bound to a single solution."));
                 ec.addElement(new BR());
-                ec.addElement(new StringElement("Assuming the brute-force power of 1,000,000 hash/second: "));
+                ec.addElement(new StringElement("Assuming the calculations per second 4 billion: "));
                 ec.addElement(new BR());
                 OL ol = new OL();
-                ol.addElement(new LI("123456 - 0 seconds        (dictionary based, one of top 100)"));
-                ol.addElement(new LI("abzfez - up to 5 minutes  ( 26 chars on 6 positions = 26^6 seconds)"));
-                ol.addElement(new LI("a9z1ez - up to 40 minutes ( 26+10 chars on 6 positions = 36^6 seconds)"));
-                ol.addElement(new LI("aB8fEz - up to 16 hours   ( 26+26+10 chars on 6 positions = 62^6 seconds)"));
-                ol.addElement(new LI("z8!E?7 - up to 50 days    ( 127 chars on 6 positions = 127^6 seconds)"));
+                for ( Password password : passwords.values()) {
+                    ol.addElement(new LI(String.format("%s - %s %s (%s)", password.password, password.answer, password.timeUnit, password.explanation)));
+                }
                 ec.addElement(ol);
             } else
             {
-
-                ec.addElement(new StringElement("How much time you need for these passwords? "));
                 ec.addElement(new BR());
+                ec.addElement(new StringElement("How much time would a desktop PC take to crack these passwords?"));
                 ec.addElement(new BR());
                 ec.addElement(new BR());
                 Table table = new Table();
-                table.addAttribute("align='center'", 0);
-                TR tr1 = new TR();
-                TD td1 = new TD();
-                TD td2 = new TD();
-                Input input1 = new Input(Input.TEXT, "pass1", "");
-                td1.addElement(new StringElement("Password = 123456"));
-                td2.addElement(input1);
-                td2.addElement(new StringElement("seconds"));
-                tr1.addElement(td1);
-                tr1.addElement(td2);
-    
-                TR tr2 = new TR();
-                TD td3 = new TD();
-                TD td4 = new TD();
-                Input input2 = new Input(Input.TEXT, "pass2", "");
-                td3.addElement(new StringElement("Password = abzfez"));
-                td4.addElement(input2);
-                td4.addElement(new StringElement("seconds"));
-                tr2.addElement(td3);
-                tr2.addElement(td4);
-    
-                TR tr3 = new TR();
-                TD td5 = new TD();
-                TD td6 = new TD();
-                Input input3 = new Input(Input.TEXT, "pass3", "");
-                td5.addElement(new StringElement("Password = a9z1ez"));
-                td6.addElement(input3);
-                td6.addElement(new StringElement("hours"));
-                tr3.addElement(td5);
-                tr3.addElement(td6);
-    
-                TR tr4 = new TR();
-                TD td7 = new TD();
-                TD td8 = new TD();
-                Input input4 = new Input(Input.TEXT, "pass4", "");
-                td7.addElement(new StringElement("Password = aB8fEz"));
-                td8.addElement(input4);
-                td8.addElement(new StringElement("days"));
-                tr4.addElement(td7);
-                tr4.addElement(td8);
-    
-                TR tr5 = new TR();
-                TD td9 = new TD();
-                TD td10 = new TD();
-                Input input5 = new Input(Input.TEXT, "pass5", "");
-                td9.addElement(new StringElement("Password = z8!E?7"));
-                td10.addElement(input5);
-                td10.addElement(new StringElement("days"));
-                tr5.addElement(td9);
-                tr5.addElement(td10);
-                table.addElement(tr1);
-                table.addElement(tr2);
-                table.addElement(tr3);
-                table.addElement(tr4);
-                table.addElement(tr5);
+                for ( Entry<String, Password> entry : passwords.entrySet()) {
+                    TR tr = new TR();
+                    TD td1 = new TD();
+                    TD td2 = new TD();
+                    Input input1 = new Input(Input.TEXT, entry.getKey(), "");
+                    td1.addElement(new StringElement("Password = " + entry.getValue().password));
+                    td1.setWidth("50%");
+                    td2.addElement(input1);
+                    td2.addElement(new StringElement("  " + entry.getValue().timeUnit));
+                    tr.addElement(td1);
+                    tr.addElement(td2);
+                    table.addElement(tr);
+                }
                 ec.addElement(table);
                 ec.addElement(new BR());
                 ec.addElement(new BR());
@@ -197,9 +188,9 @@ protected Category getDefaultCategory()
 
     public String getInstructions(WebSession s)
     {
-        String instructions = "The Accounts of your Webapplication are only as save as the passwords. "
-                + "For this exercise, your job is to test several passwords on <a href=\"https://www.cnlab.ch/codecheck\" target=\"_blank\">https://www.cnlab.ch/codecheck</a>. "
-                + " You must test all 5 passwords at the same time...<br>"
+        String instructions = "The accounts of your web application are only as save as the passwords. "
+                + "For this exercise, your job is to test several passwords on <a href=\"https://howsecureismypassword.net\" target=\"_blank\">https://howsecureismypassword.net</a>. "
+                + " You must test all 6 passwords at the same time...<br>"
                 + "<b> On your applications you should set good password requirements! </b>";
         return (instructions);
     }

src/main/webapp/lesson_plans/English/PasswordStrength.html

@@ -3,8 +3,9 @@
 </div>
 <p><b>Concept / Topic To Teach:</b> </p>
 <!-- Start Instructions -->
-Accounts are only as secure as their passwords. Most users have the same weak password everywhere. If you want to protect them against brute-force-attacks your application should have good requirements for passwords. The password should contain lower case letters, capitals and numbers. The longer the password, the better.
+Accounts are only as secure as their passwords. Most users have the same weak password everywhere. If you want to protect them against brute-force-attacks your application should have good requirements for passwords. The password should contain lower case letters, capitals, numbers and special characters. The longer the password, the better, consider using a passphrase instead. For 
+more information see: <a href="https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Implement_Proper_Password_Strength_Controls" target="_blank">OWASP proper password strength</a>. 
 <!-- Stop Instructions -->
-<br>
+<br/><br/>
 <p><b>General Goal(s):</b> </p>
- For this exercise, your job is to test several passwords on <a href="https://www.cnlab.ch/codecheck" target="_blank">https://www.cnlab.ch/codecheck</a>
+ For this exercise, your job is to test several passwords on <a href="https://howsecureismypassword.net/" target="_blank">https://howsecureismypassword.net/</a>

src/main/webapp/lesson_plans/en/PasswordStrength.html

@@ -3,8 +3,8 @@
 </div>
 <p><b>Concept / Topic To Teach:</b> </p>
 <!-- Start Instructions -->
-Accounts are only as secure as their passwords. Most users have the same weak password everywhere. If you want to protect them against brute-force-attacks your application should have good requirements for passwords. The password should contain lower case letters, capitals and numbers. The longer the password, the better.
+Accounts are only as secure as their passwords. Most users have the same weak password everywhere. If you want to protect them against brute-force-attacks your application should have good requirements for passwords. The password should contain lower case letters, capitals and numbers. The longer the password, the sbetter.
 <!-- Stop Instructions -->
 <br>
 <p><b>General Goal(s):</b> </p>
- For this exercise, your job is to test several passwords on <a href="https://www.cnlab.ch/codecheck" target="_blank">https://www.cnlab.ch/codecheck</a>
+ For this exercise, your job is to test several passwords on <a href="https://howsecureismypassword.net/" target="_blank">https://howsecureismypassword.net/</a>

src/main/webapp/lesson_plans/ru/PasswordStrength.html

@@ -10,4 +10,4 @@
 <!-- Stop Instructions -->
 <br>
 <p><b>Основные цели и задачи:</b> </p>
- Попробуйте проверить несколько используемых вами паролей на стойкость вот на этом сервисе - <a href="https://www.cnlab.ch/codecheck" target="_blank">https://www.cnlab.ch/codecheck</a>
+ Попробуйте проверить несколько используемых вами паролей на стойкость вот на этом сервисе - <a href="https://howsecureismypassword.net/" target="_blank">https://howsecureismypassword.net/</a>

src/main/webapp/lesson_solutions/PasswordStrength_files/image001.jpg

@@ -14,25 +14,24 @@
 <!-- Stop Instructions -->
 <br>
 <p><b>General Goal(s):</b> </p>
- For this exercise, your job is to test several passwords on <a href="https://www.cnlab.ch/codecheck" target="_blank">https://www.cnlab.ch/codecheck</a>.
+ For this exercise, your job is to test several passwords on <a href="https://howsecureismypassword.net/" target="_blank">https://howsecureismypassword.net/</a>.
 <br><br>
 <b>Solution:</b><br/>
-Open your browser on <a href="https://www.cnlab.ch/codecheck" target="_blank">https://www.cnlab.ch/codecheck</a>. Copy the first password in the field and click "Run the check".<br><br>
+Open your browser on <a href="https://howsecureismypassword.net/" target="_blank">https://howsecureismypassword.net/</a>. Copy the first password in the field and the page will automatically be updated.<br><br>
 <img src="lesson_solutions/PasswordStrength_files/image001.jpg"><br/>
-<font size="2"><b>Code checker</b></font><br/><br/><br/>
-You will get a little pop-up. Choose "Yes, I want this word to be tested".<br><br>
-<img src="lesson_solutions/PasswordStrength_files/image002.jpg"><br/>
-<font size="2"><b>Pop-up</b></font><br/><br/><br/>
+<font size="2"><b>Password checker</b></font><br/><br/><br/>
 You will get get the result of the check.<br><br>
-<img src="lesson_solutions/PasswordStrength_files/image003.jpg"><br/>
+<img src="lesson_solutions/PasswordStrength_files/image002.jpg"><br/>
 <font size="2"><b>The result</b></font><br/><br/><br/>
-Do this with all of the five given passwords.<br><br>
+Do this with all of the six given passwords.<br><br>
 Here are the results you get:<br><br>
+
 Password = 123456: <font color="#ff0000">0</font> seconds<br>
-Password = abzfez: <font color="#ff0000">1394</font> seconds<br>
-Password = a9z1ez: <font color="#ff0000">5</font> hours<br>
-Password = aB8fEz: <font color="#ff0000">2</font> days<br>
-Password = z8!E?7: <font color="#ff0000">41</font> days<br>
+Password = abzfezd: <font color="#ff0000">2</font> seconds<br>
+Password = a9z1ezd: <font color="#ff0000">19</font> seconds<br>
+Password = aB8fEzDq: <font color="#ff0000">15</font> hours<br>
+Password = z8!E?7: <font color="#ff0000">20</font> days<br>
+Password = My1stPassword!:Redd: <font color="#ff0000">364</font> quintillion years<br>
 <br><br><br>
 </body>
 </html>