dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix token signature validation

Browse Source
This commit is contained in:
Àngel Ollé Blázquez 2021-09-29 13:36:21 +02:00 committed by Nanne Baars
parent 9403bbb851
commit 362248a065
2 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java
View File

@ -75,7 +75,7 @@ public class JWTSecretKeyEndpoint extends AssignmentEndpoint {
@ResponseBody @ResponseBody
public AttackResult login(@RequestParam String token) { public AttackResult login(@RequestParam String token) {
try { try {
Jwt jwt = Jwts.parser().setSigningKey(JWT_SECRET).parse(token); Jwt jwt = Jwts.parser().setSigningKey(JWT_SECRET).parseClaimsJws(token);
Claims claims = (Claims) jwt.getBody(); Claims claims = (Claims) jwt.getBody();
if (!claims.keySet().containsAll(expectedClaims)) { if (!claims.keySet().containsAll(expectedClaims)) {
return failed(this).feedback("jwt-secret-claims-missing").build(); return failed(this).feedback("jwt-secret-claims-missing").build();

11
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpointTest.java
View File

@ -128,4 +128,15 @@ public class JWTSecretKeyEndpointTest extends LessonTest {
.andExpect(status().isOk()) .andExpect(status().isOk())
.andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("jwt-invalid-token")))); .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("jwt-invalid-token"))));
} }
@Test
void unsignedToken() throws Exception {
Claims claims = createClaims("WebGoat");
String token = Jwts.builder().setClaims(claims).compact();
mockMvc.perform(MockMvcRequestBuilders.post("/JWT/secret")
.param("token", token))
.andExpect(status().isOk())
.andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("jwt-invalid-token"))));
}
} }