Fix token signature validation

2021-09-29 13:36:21 +02:00 · 2021-09-29 13:36:21 +02:00 · 362248a065
commit 362248a065
parent 9403bbb851
2 changed files with 12 additions and 1 deletions
--- a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java
+++ b/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java
@ -75,7 +75,7 @@ public class JWTSecretKeyEndpoint extends AssignmentEndpoint {
    @ResponseBody
    public AttackResult login(@RequestParam String token) {
        try {
-            Jwt jwt = Jwts.parser().setSigningKey(JWT_SECRET).parse(token);
+            Jwt jwt = Jwts.parser().setSigningKey(JWT_SECRET).parseClaimsJws(token);
            Claims claims = (Claims) jwt.getBody();
            if (!claims.keySet().containsAll(expectedClaims)) {
                return failed(this).feedback("jwt-secret-claims-missing").build();
--- a/webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpointTest.java
+++ b/webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpointTest.java
@ -128,4 +128,15 @@ public class JWTSecretKeyEndpointTest extends LessonTest {
                .andExpect(status().isOk())
                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("jwt-invalid-token"))));
    }
+
+    @Test
+    void unsignedToken() throws Exception {
+        Claims claims = createClaims("WebGoat");
+        String token = Jwts.builder().setClaims(claims).compact();
+
+        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/secret")
+                .param("token", token))
+                .andExpect(status().isOk())
+                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("jwt-invalid-token"))));
+    }
 }