Working lesson

webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java

@@ -101,7 +101,7 @@ public class CreateDB {
         // Create the new table
         try {
             String createTableStatement = "CREATE TABLE jwt_keys"
-                    + " (" + "id varchar(10),"
+                    + " (" + "id varchar(20),"
                     + "key varchar(20))";
             statement.executeUpdate(createTableStatement);
 

webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/plugin/JWTFinalEndpoint.java

@@ -54,7 +54,7 @@ public class JWTFinalEndpoint extends AssignmentEndpoint {
                         final String kid = (String) header.get("kid");
                         try {
                             Connection connection = DatabaseUtilities.getConnection(webSession);
-                            ResultSet rs = connection.createStatement().executeQuery("SELECT key FROM jwt_keys WHERE id = " + kid);
+                            ResultSet rs = connection.createStatement().executeQuery("SELECT key FROM jwt_keys WHERE id = '" + kid + "'");
                             while (rs.next()) {
                                 return rs.getString(1).getBytes(Charsets.UTF_8);
                             }

webgoat-lessons/jwt/src/main/resources/html/JWT.html

@@ -176,6 +176,7 @@
               action="/WebGoat/JWT/final/delete?token=eyJ0eXAiOiJKV1QiLCJraWQiOiJ3ZWJnb2F0X2tleSIsImFsZyI6IkhTMjU2In0.eyJpc3MiOiJXZWJHb2F0IFRva2VuIEJ1aWxkZXIiLCJpYXQiOjE1MjQyMTA5MDQsImV4cCI6MTYxODkwNTMwNCwiYXVkIjoid2ViZ29hdC5vcmciLCJzdWIiOiJqZXJyeUB3ZWJnb2F0LmNvbSIsInVzZXJuYW1lIjoiSmVycnkiLCJFbWFpbCI6ImplcnJ5QHdlYmdvYXQuY29tIiwiUm9sZSI6WyJDYXQiXX0.CgZ27DzgVW8gzc0n6izOU638uUCi6UhiOJKYzoEZGE8"
               enctype="application/json;charset=UTF-8">
             <div class="container-fluid">
+                <div id="toast"></div>
                 <div class="col-sm-6 col-md-4 col-lg-3 mt-4">
                     <div class="card card-inverse card-info">
                         <img th:src="@{/images/jerry.png}" class="card-img-top"></img>
@@ -208,7 +209,7 @@
                         </div>
                         <div class="card-footer">
                             <small>Last updated 12 days ago</small>
-                            <button class="btn btn-info float-right btn-sm" onclick="javascript:follow('Tom')">Follow</button>
+                            <button type="button" class="btn btn-info float-right btn-sm" onclick="javascript:follow('Tom')">Follow</button>
                             <button class="btn btn-info float-right btn-sm">Delete</button>
                         </div>
                     </div>

webgoat-lessons/jwt/src/main/resources/js/jwt-final.js

@@ -3,8 +3,7 @@ function follow(user) {
         type: 'POST',
         url: 'JWT/final/follow/' + user
     }).then(function (result) {
-        $("#toast").setTextContent(result);
+        $("#toast").append(result);
     })
 }
-}
 

webgoat-lessons/jwt/src/main/resources/js/jwt-signing.js

@@ -5,11 +5,10 @@ $(document).ready(function () {
 function login(user) {
     $("#name").text(user);
     $.ajax({
-        url: "JWT/votings/login?user=" + user,
+        url: 'JWT/votings/login?user=' + user
-        complete: function (result, status) {
+    }).then(function () {
-            getVotings();
+        getVotings();
-        }
+    })
-    });
 }
 
 var html = '<a href="#" class="list-group-item ACTIVE">' +
@@ -65,7 +64,7 @@ function getVotings() {
     })
 }
 
-webgoat.customjs.jwtSigningCallback = function() {
+webgoat.customjs.jwtSigningCallback = function () {
     getVotings();
 }