From 8450c5a5bee740f3ff2ebcea8a84d51a570cbec5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ren=C3=A9=20Zubcevic?= Date: Wed, 15 Nov 2023 18:30:14 +0100 Subject: [PATCH] skip validation for JWT (#1663) * skip validation for JWT * skip validation for JWT * skip validation for JWT --- robot/goat.robot | 44 ++++++++++++------- .../owasp/webgoat/webwolf/jwt/JWTToken.java | 6 +-- 2 files changed, 30 insertions(+), 20 deletions(-) diff --git a/robot/goat.robot b/robot/goat.robot index a5dac9cfb..87fa2b8be 100644 --- a/robot/goat.robot +++ b/robot/goat.robot @@ -2,9 +2,10 @@ Documentation Setup WebGoat Robotframework tests Library SeleniumLibrary timeout=100 run_on_failure=Capture Page Screenshot Library String +Library OperatingSystem Suite Setup Initial_Page ${ENDPOINT} ${BROWSER} -#Suite Teardown Close_Page +Suite Teardown Close_Page *** Variables *** ${BROWSER} chrome @@ -22,7 +23,7 @@ Initial_Page [Arguments] ${ENDPOINT} ${BROWSER} Log To Console Start WebGoat UI Testing IF ${HEADLESS} - Open Browser ${ENDPOINT} ${BROWSER} options=add_argument("-headless");add_argument("--start-maximized");add_experimental_option('prefs', {'intl.accept_languages': 'en,en_US'}) alias=webgoat + Open Browser ${ENDPOINT} ${BROWSER} options=add_experimental_option('prefs', {'intl.accept_languages': 'en,en_US'});add_argument("-headless");add_argument("--start-maximized") alias=webgoat ELSE Open Browser ${ENDPOINT} ${BROWSER} options=add_experimental_option('prefs', {'intl.accept_languages': 'en,en_US'}) alias=webgoat END @@ -31,6 +32,17 @@ Initial_Page Set Window Size ${1400} ${1000} Set Window Position ${0} ${0} Set Selenium Speed ${DELAY} + Log To Console Start WebWolf UI Testing + IF ${HEADLESS} + Open Browser ${ENDPOINT_WOLF} ${BROWSER} options=add_experimental_option('prefs', {'intl.accept_languages': 'en,en_US'});add_argument("-headless");add_argument("--start-maximized") alias=webwolf + ELSE + Open Browser ${ENDPOINT_WOLF} ${BROWSER} options=add_experimental_option('prefs', {'intl.accept_languages': 'en,en_US'}) alias=webwolf + END + Switch Browser webwolf + Maximize Browser Window + Set Window Size ${1400} ${1000} + Set Window Position ${500} ${0} + Set Selenium Speed ${DELAY} Close_Page [Documentation] Closing the browser @@ -45,6 +57,7 @@ Close_Page *** Test Cases *** Check_Initial_Page + [Tags] WebGoatTests Switch Browser webgoat Page Should Contain Username Click Button Sign in @@ -52,6 +65,7 @@ Check_Initial_Page Click Link /WebGoat/registration Check_Registration_Page + [Tags] WebGoatTests Page Should Contain Username Input Text username ${USERNAME} Input Text password ${PASSWORD} @@ -60,6 +74,7 @@ Check_Registration_Page Click Button Sign up Check_Welcome_Page + [Tags] WebGoatTests Page Should Contain WebGoat Go To ${ENDPOINT}/login Page Should Contain Username @@ -69,6 +84,7 @@ Check_Welcome_Page Page Should Contain WebGoat Check_Menu_Page + [Tags] WebGoatTests Click Element css=a[category='Introduction'] Click Element Introduction-WebGoat CLick Element Introduction-WebWolf @@ -83,18 +99,6 @@ Check_Menu_Page Fail "not ok" END -Open_WebWolf - Log To Console Start WebWolf UI Testing - IF ${HEADLESS} - Open Browser ${ENDPOINT_WOLF} ${BROWSER} options=add_argument("-headless");add_argument("--start-maximized");add_experimental_option('prefs', {'intl.accept_languages': 'en,en_US'}) alias=webwolf - ELSE - Open Browser ${ENDPOINT_WOLF} ${BROWSER} options=add_experimental_option('prefs', {'intl.accept_languages': 'en,en_US'}) alias=webwolf - END - Switch Browser webwolf - Maximize Browser Window - Set Window Size ${1400} ${1000} - Set Window Position ${500} ${200} - Check_WebWolf Switch Browser webwolf location should be ${ENDPOINT_WOLF}/login @@ -108,11 +112,17 @@ Check_WebWolf Check_JWT_Page Go To ${ENDPOINT_WOLF}/jwt Click Element token + Wait Until Element Is Enabled token 5s Input Text token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c + Click Element secretKey Input Text secretKey none + Sleep 2s # Pause before reading the result ${OUT_VALUE} Get Value xpath=//textarea[@id='token'] Log To Console Found token ${OUT_VALUE} ${OUT_RESULT} Evaluate "ImuPnHvLdU7ULKfbD4aJU" in """${OUT_VALUE}""" - IF not ${OUT_RESULT} - Fail "not ok, failed JWT" - END + Log To Console Found token ${OUT_RESULT} + +Check_Files_Page + Go To ${ENDPOINT_WOLF}/files + Choose File css:input[type="file"] ${CURDIR}/goat.robot + Click Button Upload files \ No newline at end of file diff --git a/src/main/java/org/owasp/webgoat/webwolf/jwt/JWTToken.java b/src/main/java/org/owasp/webgoat/webwolf/jwt/JWTToken.java index 88fcdc1c5..0b7088fde 100644 --- a/src/main/java/org/owasp/webgoat/webwolf/jwt/JWTToken.java +++ b/src/main/java/org/owasp/webgoat/webwolf/jwt/JWTToken.java @@ -1,11 +1,11 @@ package org.owasp.webgoat.webwolf.jwt; import static java.nio.charset.StandardCharsets.UTF_8; -import static org.springframework.util.Base64Utils.decodeFromUrlSafeString; import static org.springframework.util.StringUtils.hasText; import com.fasterxml.jackson.core.JsonProcessingException; import com.fasterxml.jackson.databind.ObjectMapper; +import java.util.Base64; import java.util.Map; import java.util.TreeMap; import lombok.AllArgsConstructor; @@ -103,8 +103,8 @@ public class JWTToken { var builder = JWTToken.builder().encoded(jwt); if (token.length >= 2) { - var header = new String(decodeFromUrlSafeString(token[0]), UTF_8); - var payloadAsString = new String(decodeFromUrlSafeString(token[1]), UTF_8); + var header = new String(Base64.getUrlDecoder().decode(token[0]), UTF_8); + var payloadAsString = new String(Base64.getUrlDecoder().decode(token[1]), UTF_8); var headers = parse(header); var payload = parse(payloadAsString); builder.header(write(header, headers));