first steps

webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java

@@ -28,11 +28,18 @@ import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AttackResult;
+import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.*;
 
+import javax.servlet.http.HttpServletRequest;
 import javax.sql.DataSource;
+
+import java.nio.charset.Charset;
+import java.security.NoSuchAlgorithmException;
 import java.sql.ResultSet;
 import java.sql.SQLException;
+import java.util.Base64;
+import java.util.Random;
 
 /**
  * <pre>
@@ -68,6 +75,25 @@ public class JWTFinalEndpoint extends AssignmentEndpoint {
         this.dataSource = dataSource;
     }
 
+    @PostMapping(path="/JWT/encode",produces=MediaType.TEXT_HTML_VALUE)
+    @ResponseBody
+    public String encode(@RequestParam("jsonHeader") String jsonHeader,
+    		@RequestParam("jsonPayload") String jsonPayload,
+    		@RequestParam("jsonSecret") String jsonSecret) throws NoSuchAlgorithmException {		
+		
+		String header = Base64.getUrlEncoder().encodeToString(jsonHeader.getBytes(Charset.defaultCharset()));
+		String body = Base64.getUrlEncoder().encodeToString(jsonPayload.getBytes(Charset.defaultCharset()));
+		String signature = "";
+		return "{\"header\":\""+header+"\",\"payload\":\""+body+"\",\"secret\":\""+signature+"\"}";
+    }
+    
+    @PostMapping(path="/JWT/decode",produces=MediaType.APPLICATION_JSON_VALUE)
+    @ResponseBody
+    public String decode(@RequestParam("token") String token) throws NoSuchAlgorithmException {		
+		
+		return new String(Base64.getUrlDecoder().decode(token.getBytes(Charset.defaultCharset())));
+    }
+    
     @PostMapping("/JWT/final/follow/{user}")
     public @ResponseBody
     String follow(@PathVariable("user") String user) {

webgoat-lessons/jwt/src/main/resources/html/JWT.html

@@ -8,7 +8,10 @@ $(document).ready(
 				$("#secrettoken").load('/WebGoat/JWT/secret/gettoken');
 		}
 	);
+	
 </script>
+
+
 </header>
 <body>
 <div class="lesson-page-wrapper">
@@ -16,6 +19,23 @@ $(document).ready(
 </div>
 <div class="lesson-page-wrapper">
     <div class="adoc-content" th:replace="doc:JWT_structure.adoc"></div>
+			<form id="encode" class="attack-form" method="POST" name="form"	action="/WebGoat/JWT/encode" >
+			<table>
+			<tr><td width="100%"><input class="form-control" name="jsonHeader" value='{  "alg":"HS256",  "typ":"JWT"}"' type="TEXT"/></td></tr>
+			<tr><td width="100%"><input class="form-control" name="jsonPayload" value='{  "alg":"HS256",  "typ":"JWT"}' type="TEXT"/></td></tr>
+			<tr><td width="100%"><input class="form-control" name="jsonSecret" value="secret" type="TEXT"/></td></tr>
+			<tr><td><input name="SUBMIT" value="encode" type="SUBMIT"/></td></tr>			
+			</table>
+			</form>
+			<form id="decode" class="attack-form" method="POST" name="form"	action="/WebGoat/JWT/decode" >
+			<table>
+			<tr><td width="100%"><input class="form-control" id="headervalue" name="headervalue" value='' type="TEXT"/></td></tr>
+			<tr><td width="100%"><input class="form-control" name="payloadvalue" value='' type="TEXT"/></td></tr>
+			<tr><td width="100%"><input class="form-control" name="signature" value="" type="TEXT"/></td></tr>
+			<tr><td><input name="SUBMIT" value="encode" type="SUBMIT"/></td></tr>			
+			</table>
+			</form>
+			
 </div>
 <div class="lesson-page-wrapper">
     <div class="adoc-content" th:replace="doc:JWT_login_to_token.adoc"></div>
@@ -296,6 +316,17 @@ $(document).ready(
         <div class="attack-output"></div>
     </div>
 </div>
+<script>
+
+$('#encode').submit(function () {
+    $.post('/WebGoat/JWT/encode', $('#encode').serialize(), function (data, textStatus) {
+    	var obj = JSON.parse(data);
+    	document.getElementById("headervalue").value=obj.header;
+    });
+    return false;
+});
+
+</script>
 </body>
 
 </html>