dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

skip validation for JWT (#1663)

Browse Source 
* skip validation for JWT

* skip validation for JWT

* skip validation for JWT
This commit is contained in:
René Zubcevic 2023-11-15 18:30:14 +01:00 committed by GitHub
parent ba75e10efd
commit 8450c5a5be
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 30 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
robot/goat.robot
View File

@ -2,9 +2,10 @@
Documentation Setup WebGoat Robotframework tests Documentation Setup WebGoat Robotframework tests
Library SeleniumLibrary timeout=100 run_on_failure=Capture Page Screenshot Library SeleniumLibrary timeout=100 run_on_failure=Capture Page Screenshot
Library String Library String
Library OperatingSystem
Suite Setup Initial_Page ${ENDPOINT} ${BROWSER} Suite Setup Initial_Page ${ENDPOINT} ${BROWSER}
#Suite Teardown Close_Page Suite Teardown Close_Page
*** Variables *** *** Variables ***
${BROWSER} chrome ${BROWSER} chrome
@ -22,7 +23,7 @@ Initial_Page
[Arguments] ${ENDPOINT} ${BROWSER} [Arguments] ${ENDPOINT} ${BROWSER}
Log To Console Start WebGoat UI Testing Log To Console Start WebGoat UI Testing
IF ${HEADLESS} IF ${HEADLESS}
Open Browser ${ENDPOINT} ${BROWSER} options=add_argument("-headless");add_argument("--start-maximized");add_experimental_option('prefs', {'intl.accept_languages': 'en,en_US'}) alias=webgoat Open Browser ${ENDPOINT} ${BROWSER} options=add_experimental_option('prefs', {'intl.accept_languages': 'en,en_US'});add_argument("-headless");add_argument("--start-maximized") alias=webgoat
ELSE ELSE
Open Browser ${ENDPOINT} ${BROWSER} options=add_experimental_option('prefs', {'intl.accept_languages': 'en,en_US'}) alias=webgoat Open Browser ${ENDPOINT} ${BROWSER} options=add_experimental_option('prefs', {'intl.accept_languages': 'en,en_US'}) alias=webgoat
END END
@ -31,6 +32,17 @@ Initial_Page
Set Window Size ${1400} ${1000} Set Window Size ${1400} ${1000}
Set Window Position ${0} ${0} Set Window Position ${0} ${0}
Set Selenium Speed ${DELAY} Set Selenium Speed ${DELAY}
Log To Console Start WebWolf UI Testing
IF ${HEADLESS}
Open Browser ${ENDPOINT_WOLF} ${BROWSER} options=add_experimental_option('prefs', {'intl.accept_languages': 'en,en_US'});add_argument("-headless");add_argument("--start-maximized") alias=webwolf
ELSE
Open Browser ${ENDPOINT_WOLF} ${BROWSER} options=add_experimental_option('prefs', {'intl.accept_languages': 'en,en_US'}) alias=webwolf
END
Switch Browser webwolf
Maximize Browser Window
Set Window Size ${1400} ${1000}
Set Window Position ${500} ${0}
Set Selenium Speed ${DELAY}
Close_Page Close_Page
[Documentation] Closing the browser [Documentation] Closing the browser
@ -45,6 +57,7 @@ Close_Page
*** Test Cases *** *** Test Cases ***
Check_Initial_Page Check_Initial_Page
[Tags] WebGoatTests
Switch Browser webgoat Switch Browser webgoat
Page Should Contain Username Page Should Contain Username
Click Button Sign in Click Button Sign in
@ -52,6 +65,7 @@ Check_Initial_Page
Click Link /WebGoat/registration Click Link /WebGoat/registration
Check_Registration_Page Check_Registration_Page
[Tags] WebGoatTests
Page Should Contain Username Page Should Contain Username
Input Text username ${USERNAME} Input Text username ${USERNAME}
Input Text password ${PASSWORD} Input Text password ${PASSWORD}
@ -60,6 +74,7 @@ Check_Registration_Page
Click Button Sign up Click Button Sign up
Check_Welcome_Page Check_Welcome_Page
[Tags] WebGoatTests
Page Should Contain WebGoat Page Should Contain WebGoat
Go To ${ENDPOINT}/login Go To ${ENDPOINT}/login
Page Should Contain Username Page Should Contain Username
@ -69,6 +84,7 @@ Check_Welcome_Page
Page Should Contain WebGoat Page Should Contain WebGoat
Check_Menu_Page Check_Menu_Page
[Tags] WebGoatTests
Click Element css=a[category='Introduction'] Click Element css=a[category='Introduction']
Click Element Introduction-WebGoat Click Element Introduction-WebGoat
CLick Element Introduction-WebWolf CLick Element Introduction-WebWolf
@ -83,18 +99,6 @@ Check_Menu_Page
Fail "not ok" Fail "not ok"
END END
Open_WebWolf
Log To Console Start WebWolf UI Testing
IF ${HEADLESS}
Open Browser ${ENDPOINT_WOLF} ${BROWSER} options=add_argument("-headless");add_argument("--start-maximized");add_experimental_option('prefs', {'intl.accept_languages': 'en,en_US'}) alias=webwolf
ELSE
Open Browser ${ENDPOINT_WOLF} ${BROWSER} options=add_experimental_option('prefs', {'intl.accept_languages': 'en,en_US'}) alias=webwolf
END
Switch Browser webwolf
Maximize Browser Window
Set Window Size ${1400} ${1000}
Set Window Position ${500} ${200}
Check_WebWolf Check_WebWolf
Switch Browser webwolf Switch Browser webwolf
location should be ${ENDPOINT_WOLF}/login location should be ${ENDPOINT_WOLF}/login
@ -108,11 +112,17 @@ Check_WebWolf
Check_JWT_Page Check_JWT_Page
Go To ${ENDPOINT_WOLF}/jwt Go To ${ENDPOINT_WOLF}/jwt
Click Element token Click Element token
Wait Until Element Is Enabled token 5s
Input Text token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c Input Text token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Click Element secretKey
Input Text secretKey none Input Text secretKey none
Sleep 2s # Pause before reading the result
${OUT_VALUE} Get Value xpath=//textarea[@id='token'] ${OUT_VALUE} Get Value xpath=//textarea[@id='token']
Log To Console Found token ${OUT_VALUE} Log To Console Found token ${OUT_VALUE}
${OUT_RESULT} Evaluate "ImuPnHvLdU7ULKfbD4aJU" in """${OUT_VALUE}""" ${OUT_RESULT} Evaluate "ImuPnHvLdU7ULKfbD4aJU" in """${OUT_VALUE}"""
IF not ${OUT_RESULT} Log To Console Found token ${OUT_RESULT}
Fail "not ok, failed JWT"
END Check_Files_Page
Go To ${ENDPOINT_WOLF}/files
Choose File css:input[type="file"] ${CURDIR}/goat.robot
Click Button Upload files

6
src/main/java/org/owasp/webgoat/webwolf/jwt/JWTToken.java
View File

@ -1,11 +1,11 @@
package org.owasp.webgoat.webwolf.jwt; package org.owasp.webgoat.webwolf.jwt;
import static java.nio.charset.StandardCharsets.UTF_8; import static java.nio.charset.StandardCharsets.UTF_8;
import static org.springframework.util.Base64Utils.decodeFromUrlSafeString;
import static org.springframework.util.StringUtils.hasText; import static org.springframework.util.StringUtils.hasText;
import com.fasterxml.jackson.core.JsonProcessingException; import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper; import com.fasterxml.jackson.databind.ObjectMapper;
import java.util.Base64;
import java.util.Map; import java.util.Map;
import java.util.TreeMap; import java.util.TreeMap;
import lombok.AllArgsConstructor; import lombok.AllArgsConstructor;
@ -103,8 +103,8 @@ public class JWTToken {
var builder = JWTToken.builder().encoded(jwt); var builder = JWTToken.builder().encoded(jwt);
if (token.length >= 2) { if (token.length >= 2) {
var header = new String(decodeFromUrlSafeString(token[0]), UTF_8); var header = new String(Base64.getUrlDecoder().decode(token[0]), UTF_8);
var payloadAsString = new String(decodeFromUrlSafeString(token[1]), UTF_8); var payloadAsString = new String(Base64.getUrlDecoder().decode(token[1]), UTF_8);
var headers = parse(header); var headers = parse(header);
var payload = parse(payloadAsString); var payload = parse(payloadAsString);
builder.header(write(header, headers)); builder.header(write(header, headers));