Fixed problems with answers and updated the lesson plan page

nbaars · nbaars · commit a8500cdedb88 · 2014-09-15T20:59:49.000+02:00
diff --git a/src/main/java/org/owasp/webgoat/lessons/PasswordStrength.java b/src/main/java/org/owasp/webgoat/lessons/PasswordStrength.java
@@ -84,10 +84,10 @@ public Password(String password, String timeUnit, String answer, String explaina
 	}
 	
 	private boolean checkSolution(WebSession s) throws ParameterNotFoundException {
-		boolean allCorrect = false;
-		for ( int i = 0; i < passwords.size(); i++ ) {
+		boolean allCorrect = true;
+		for ( int i = 1; i <= passwords.size(); i++ ) {
 			String key = "pass" + i;
-			allCorrect = allCorrect && s.getParser().getStringParameter(key, "").equals(passwords.get(key));
+			allCorrect = allCorrect && s.getParser().getStringParameter(key, "").equals(passwords.get(key).answer);
 		}
 		return allCorrect;
 	}
@@ -108,6 +108,7 @@ protected Element createContent(WebSession s)
 			if (checkSolution(s))
 			{
 				makeSuccess(s);
+				ec.addElement(new BR());
 				ec.addElement(new StringElement("As a guideline not bound to a single solution."));
 				ec.addElement(new BR());
 				ec.addElement(new StringElement("Assuming the calculations per second 4 billion: "));
diff --git a/src/main/webapp/lesson_plans/English/PasswordStrength.html b/src/main/webapp/lesson_plans/English/PasswordStrength.html
@@ -3,8 +3,9 @@
 </div>
 <p><b>Concept / Topic To Teach:</b> </p>
 <!-- Start Instructions -->
-Accounts are only as secure as their passwords. Most users have the same weak password everywhere. If you want to protect them against brute-force-attacks your application should have good requirements for passwords. The password should contain lower case letters, capitals and numbers. The longer the password, the better.
+Accounts are only as secure as their passwords. Most users have the same weak password everywhere. If you want to protect them against brute-force-attacks your application should have good requirements for passwords. The password should contain lower case letters, capitals, numbers and special characters. The longer the password, the better, consider using a passphrase instead. For 
+more information see: <a href="https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Implement_Proper_Password_Strength_Controls" target="_blank">OWASP proper password strength</a>. 
 <!-- Stop Instructions -->
-<br>
+<br/><br/>
 <p><b>General Goal(s):</b> </p>
  For this exercise, your job is to test several passwords on <a href="https://howsecureismypassword.net/" target="_blank">https://howsecureismypassword.net/</a>

Original file line number	Diff line number	Diff line change
`@@ -84,10 +84,10 @@ public Password(String password, String timeUnit, String answer, String explaina`
`84`	`84`	`}`
`85`	`85`
`86`	`86`	`private boolean checkSolution(WebSession s) throws ParameterNotFoundException {`
`87`		`- boolean allCorrect = false;`
`88`		`- for ( int i = 0; i < passwords.size(); i++ ) {`
	`87`	`+ boolean allCorrect = true;`
	`88`	`+ for ( int i = 1; i <= passwords.size(); i++ ) {`
`89`	`89`	`String key = "pass" + i;`
`90`		`- allCorrect = allCorrect && s.getParser().getStringParameter(key, "").equals(passwords.get(key));`
	`90`	`+ allCorrect = allCorrect && s.getParser().getStringParameter(key, "").equals(passwords.get(key).answer);`
`91`	`91`	`}`
`92`	`92`	`return allCorrect;`
`93`	`93`	`}`
`@@ -108,6 +108,7 @@ protected Element createContent(WebSession s)`
`108`	`108`	`if (checkSolution(s))`
`109`	`109`	`{`
`110`	`110`	`makeSuccess(s);`
	`111`	`+ ec.addElement(new BR());`
`111`	`112`	`ec.addElement(new StringElement("As a guideline not bound to a single solution."));`
`112`	`113`	`ec.addElement(new BR());`
`113`	`114`	`ec.addElement(new StringElement("Assuming the calculations per second 4 billion: "));`