PasswordStrength.java

package org.owasp.webgoat.lessons;

import java.util.ArrayList; 
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.TreeMap;
import java.util.Map.Entry;

import org.apache.commons.collections.CollectionUtils;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.BR;
import org.apache.ecs.html.Div;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.LI;
import org.apache.ecs.html.OL;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.ParameterNotFoundException;
import org.owasp.webgoat.session.WebSession;


/***************************************************************************************************
 * 
 * 
 * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
 * please see http://www.owasp.org/
 * 
 * Copyright (c) 2002 - 20014 Bruce Mayhew
 * 
 * This program is free software; you can redistribute it and/or modify it under the terms of the
 * GNU General Public License as published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.
 * 
 * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
 * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 * 
 * You should have received a copy of the GNU General Public License along with this program; if
 * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
 * 02111-1307, USA.
 * 
 * Getting Source ==============
 * 
 * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
 * projects.
 * 
 * 
 * For details, please see http://webgoat.github.io
 * 
 * @author Reto Lippuner, Marcel Wirth
 * @created April 7, 2008
 */

public class PasswordStrength extends LessonAdapter
{
    private Map<String, Password> passwords = new TreeMap<String, Password>() {{
        put("pass1", new Password("123456", "seconds", "0", "dictionary based, in top 10 most used passwords"));
        put("pass2", new Password("abzfezd", "seconds", "2", "26 chars on 7 positions, 8 billion possible combinations"));
        put("pass3", new Password("a9z1ezd", "seconds", "19", "26 + 10 chars on 7 positions = 78 billion possible combinations"));
        put("pass4", new Password("aB8fEzDq", "hours", "15", "26 + 26 + 10 chars on 8 positions = 218 trillion possible combinations"));
        put("pass5", new Password("z8!E?7D$", "days", "20", "96 chars on 8 positions = 66 quintillion possible combinations"));
        put("pass6", new Password("My1stPassword!:Redd", "quintillion years", "364", "96 chars on 19 positions = 46 undecillion possible combinations"));
    }};
    
    private class Password {
        
        String password;
        String timeUnit;
        String answer;
        private String explanation;
        
        public Password(String password, String timeUnit, String answer, String explanation) {
            this.password = password;
            this.timeUnit = timeUnit;
            this.answer = answer;
            this.explanation = explanation;
        }
    }
    
    private boolean checkSolution(WebSession s) throws ParameterNotFoundException {
        boolean allCorrect = true;
        for ( int i = 1; i <= passwords.size(); i++ ) {
            String key = "pass" + i;
            allCorrect = allCorrect && s.getParser().getStringParameter(key, "").equals(passwords.get(key).answer);
        }
        return allCorrect;
    }

    /**
     * Description of the Method
     * 
     * @param s
     *            Description of the Parameter
     * @return Description of the Return Value
     */
    protected Element createContent(WebSession s)
    {
        ElementContainer ec = new ElementContainer();

        try
        {
            if (checkSolution(s))
            {
                makeSuccess(s);
                ec.addElement(new BR());
                ec.addElement(new StringElement("As a guideline not bound to a single solution."));
                ec.addElement(new BR());
                ec.addElement(new StringElement("Assuming the calculations per second 4 billion: "));
                ec.addElement(new BR());
                OL ol = new OL();
                for ( Password password : passwords.values()) {
                    ol.addElement(new LI(String.format("%s - %s %s (%s)", password.password, password.answer, password.timeUnit, password.explanation)));
                }
                ec.addElement(ol);
            } else
            {
                ec.addElement(new BR());
                ec.addElement(new StringElement("How much time would a desktop PC take to crack these passwords?"));
                ec.addElement(new BR());
                ec.addElement(new BR());
                Table table = new Table();
                for ( Entry<String, Password> entry : passwords.entrySet()) {
                    TR tr = new TR();
                    TD td1 = new TD();
                    TD td2 = new TD();
                    Input input1 = new Input(Input.TEXT, entry.getKey(), "");
                    td1.addElement(new StringElement("Password = " + entry.getValue().password));
                    td1.setWidth("50%");
                    td2.addElement(input1);
                    td2.addElement(new StringElement("  " + entry.getValue().timeUnit));
                    tr.addElement(td1);
                    tr.addElement(td2);
                    table.addElement(tr);
                }
                ec.addElement(table);
                ec.addElement(new BR());
                ec.addElement(new BR());
                Div div = new Div();
                div.addAttribute("align", "center");
                Element b = ECSFactory.makeButton("Go!");
                div.addElement(b);
                ec.addElement(div);
            }
        } catch (Exception e)
        {
            s.setMessage("Error generating " + this.getClass().getName());
            e.printStackTrace();
        }


        return (ec);
    }

    /**
     * Gets the hints attribute of the HelloScreen object
     * 
     * @return The hints value
     */
    public List<String> getHints(WebSession s)
    {
        List<String> hints = new ArrayList<String>();
        hints.add("Copy the passwords into the code checker.");
        return hints;
    }

    /**
     * Gets the ranking attribute of the HelloScreen object
     * 
     * @return The ranking value
     */
    private final static Integer DEFAULT_RANKING = new Integer(6);

    protected Integer getDefaultRanking()
    {
        return DEFAULT_RANKING;
    }

    protected Category getDefaultCategory()
    {
        return Category.AUTHENTICATION;
    }

    public String getInstructions(WebSession s)
    {
        String instructions = "The accounts of your web application are only as safe as the passwords. "
                + "For this exercise, your job is to test several passwords on <a onclick=\"window.open(this.href,\'_blank\');return false;\" href=\"https://howsecureismypassword.net\">https://howsecureismypassword.net</a>. "
                + " You must test all 6 passwords at the same time...<br>"
                + "<b> On your applications you should set good password requirements! </b>";
        return (instructions);
    }
    
    /**
     * Gets the title attribute of the HelloScreen object
     * 
     * @return The title value
     */
    public String getTitle()
    {
        return ("Password Strength");
    }

    public Element getCredits()
    {
        return super.getCustomCredits("Created by: Reto Lippuner, Marcel Wirth", new StringElement(""));
    }
}