dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Support boolean when parsing the token.

Browse Source 
When the admin json element passes as a `boolean`:

```
{
 "admin": true
}
```

the parsing is now successful.
This commit is contained in:
Nanne Baars 2023-01-02 08:47:45 +01:00 committed by Nanne Baars
parent 32468ff90b
commit b03777d39b
2 changed files with 17 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java
View File

@ -169,7 +169,7 @@ public class JWTVotesEndpoint extends AssignmentEndpoint {
try { try {
Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(accessToken); Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(accessToken);
Claims claims = (Claims) jwt.getBody(); Claims claims = (Claims) jwt.getBody();
boolean isAdmin = Boolean.valueOf((String) claims.get("admin")); boolean isAdmin = Boolean.valueOf(String.valueOf(claims.get("admin")));
if (!isAdmin) { if (!isAdmin) {
return failed(this).feedback("jwt-only-admin").build(); return failed(this).feedback("jwt-only-admin").build();
} else { } else {

19
src/test/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpointTest.java
View File

@ -28,12 +28,9 @@ import io.jsonwebtoken.Jwts;
import org.hamcrest.CoreMatchers; import org.hamcrest.CoreMatchers;
import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.owasp.webgoat.container.plugins.LessonTest; import org.owasp.webgoat.container.plugins.LessonTest;
import org.owasp.webgoat.lessons.jwt.JWT; import org.owasp.webgoat.lessons.jwt.JWT;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.MediaType; import org.springframework.http.MediaType;
import org.springframework.test.context.junit.jupiter.SpringExtension;
import org.springframework.test.web.servlet.MvcResult; import org.springframework.test.web.servlet.MvcResult;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.setup.MockMvcBuilders; import org.springframework.test.web.servlet.setup.MockMvcBuilders;
@ -75,6 +72,22 @@ public class JWTVotesEndpointTest extends LessonTest {
.andExpect(jsonPath("$.lessonCompleted", is(true))); .andExpect(jsonPath("$.lessonCompleted", is(true)));
} }
@Test
public void solveAssignmentWithBoolean() throws Exception {
//Create new token and set alg to none and do not sign it
Claims claims = Jwts.claims();
claims.put("admin", true);
claims.put("user", "Tom");
String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact();
//Call the reset endpoint
mockMvc.perform(MockMvcRequestBuilders.post("/JWT/votings")
.contentType(MediaType.APPLICATION_JSON)
.cookie(new Cookie("access_token", token)))
.andExpect(status().isOk())
.andExpect(jsonPath("$.lessonCompleted", is(true)));
}
@Test @Test
public void resetWithoutTokenShouldNotWork() throws Exception { public void resetWithoutTokenShouldNotWork() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/JWT/votings") mockMvc.perform(MockMvcRequestBuilders.post("/JWT/votings")