Working lesson

2018-05-21 13:19:26 +02:00 · 2018-05-21 13:19:26 +02:00 · 60ef35e241
commit 60ef35e241
parent 9d7886d572
5 changed files with 10 additions and 11 deletions
--- a/webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java
@ -101,7 +101,7 @@ public class CreateDB {
        // Create the new table
        try {
            String createTableStatement = "CREATE TABLE jwt_keys"
-                    + " (" + "id varchar(10),"
+                    + " (" + "id varchar(20),"
                    + "key varchar(20))";
            statement.executeUpdate(createTableStatement);

--- a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/plugin/JWTFinalEndpoint.java
+++ b/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/plugin/JWTFinalEndpoint.java
@ -54,7 +54,7 @@ public class JWTFinalEndpoint extends AssignmentEndpoint {
                        final String kid = (String) header.get("kid");
                        try {
                            Connection connection = DatabaseUtilities.getConnection(webSession);
-                            ResultSet rs = connection.createStatement().executeQuery("SELECT key FROM jwt_keys WHERE id = " + kid);
+                            ResultSet rs = connection.createStatement().executeQuery("SELECT key FROM jwt_keys WHERE id = '" + kid + "'");
                            while (rs.next()) {
                                return rs.getString(1).getBytes(Charsets.UTF_8);
                            }
--- a/webgoat-lessons/jwt/src/main/resources/html/JWT.html
+++ b/webgoat-lessons/jwt/src/main/resources/html/JWT.html
@ -176,6 +176,7 @@
              action="/WebGoat/JWT/final/delete?token=eyJ0eXAiOiJKV1QiLCJraWQiOiJ3ZWJnb2F0X2tleSIsImFsZyI6IkhTMjU2In0.eyJpc3MiOiJXZWJHb2F0IFRva2VuIEJ1aWxkZXIiLCJpYXQiOjE1MjQyMTA5MDQsImV4cCI6MTYxODkwNTMwNCwiYXVkIjoid2ViZ29hdC5vcmciLCJzdWIiOiJqZXJyeUB3ZWJnb2F0LmNvbSIsInVzZXJuYW1lIjoiSmVycnkiLCJFbWFpbCI6ImplcnJ5QHdlYmdvYXQuY29tIiwiUm9sZSI6WyJDYXQiXX0.CgZ27DzgVW8gzc0n6izOU638uUCi6UhiOJKYzoEZGE8"
              enctype="application/json;charset=UTF-8">
            <div class="container-fluid">
+                <div id="toast"></div>
                <div class="col-sm-6 col-md-4 col-lg-3 mt-4">
                    <div class="card card-inverse card-info">
                        <img th:src="@{/images/jerry.png}" class="card-img-top"></img>
@ -208,7 +209,7 @@
                        </div>
                        <div class="card-footer">
                            <small>Last updated 12 days ago</small>
-                            <button class="btn btn-info float-right btn-sm" onclick="javascript:follow('Tom')">Follow</button>
+                            <button type="button" class="btn btn-info float-right btn-sm" onclick="javascript:follow('Tom')">Follow</button>
                            <button class="btn btn-info float-right btn-sm">Delete</button>
                        </div>
                    </div>
--- a/webgoat-lessons/jwt/src/main/resources/js/jwt-final.js
+++ b/webgoat-lessons/jwt/src/main/resources/js/jwt-final.js
@ -3,8 +3,7 @@ function follow(user) {
        type: 'POST',
        url: 'JWT/final/follow/' + user
    }).then(function (result) {
-        $("#toast").setTextContent(result);
+        $("#toast").append(result);
    })
 }
-}

--- a/webgoat-lessons/jwt/src/main/resources/js/jwt-signing.js
+++ b/webgoat-lessons/jwt/src/main/resources/js/jwt-signing.js
@ -5,11 +5,10 @@ $(document).ready(function () {
 function login(user) {
    $("#name").text(user);
    $.ajax({
-        url: "JWT/votings/login?user=" + user,
-        complete: function (result, status) {
-            getVotings();
-        }
-    });
+        url: 'JWT/votings/login?user=' + user
+    }).then(function () {
+        getVotings();
+    })
 }

 var html = '<a href="#" class="list-group-item ACTIVE">' +
@ -65,7 +64,7 @@ function getVotings() {
    })
 }

-webgoat.customjs.jwtSigningCallback = function() {
+webgoat.customjs.jwtSigningCallback = function () {
    getVotings();
 }