dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Improve handling of missing parameters, now returns HTTP/401 (#698)

Browse Source
This commit is contained in:
Nanne Baars 2019-11-03 18:27:03 +01:00 committed by René Zubcevic
parent f7b794bf68
commit ddf6ac9bdb
2 changed files with 40 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
View File

@ -35,6 +35,8 @@ import org.springframework.web.bind.annotation.*;
import java.util.*; import java.util.*;
import java.util.concurrent.TimeUnit; import java.util.concurrent.TimeUnit;
import static org.springframework.http.ResponseEntity.ok;
/** /**
* @author nbaars * @author nbaars
* @since 4/23/17. * @since 4/23/17.
@ -49,12 +51,15 @@ public class JWTRefreshEndpoint extends AssignmentEndpoint {
@PostMapping(value = "/JWT/refresh/login", consumes = MediaType.APPLICATION_JSON_VALUE, produces = MediaType.APPLICATION_JSON_VALUE) @PostMapping(value = "/JWT/refresh/login", consumes = MediaType.APPLICATION_JSON_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
@ResponseBody @ResponseBody
public ResponseEntity follow(@RequestBody Map<String, Object> json) { public ResponseEntity follow(@RequestBody(required = false) Map<String, Object> json) {
if (json == null) {
return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
}
String user = (String) json.get("user"); String user = (String) json.get("user");
String password = (String) json.get("password"); String password = (String) json.get("password");
if ("Jerry".equals(user) && PASSWORD.equals(password)) { if ("Jerry".equals(user) && PASSWORD.equals(password)) {
return ResponseEntity.ok(createNewTokens(user)); return ok(createNewTokens(user));
} }
return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build(); return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
} }
@ -78,25 +83,33 @@ public class JWTRefreshEndpoint extends AssignmentEndpoint {
@PostMapping("/JWT/refresh/checkout") @PostMapping("/JWT/refresh/checkout")
@ResponseBody @ResponseBody
public AttackResult checkout(@RequestHeader("Authorization") String token) { public ResponseEntity<?> checkout(@RequestHeader(value = "Authorization", required = false) String token) {
if (token == null) {
return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
}
try { try {
Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", "")); Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", ""));
Claims claims = (Claims) jwt.getBody(); Claims claims = (Claims) jwt.getBody();
String user = (String) claims.get("user"); String user = (String) claims.get("user");
if ("Tom".equals(user)) { if ("Tom".equals(user)) {
return trackProgress(success().build()); return ok(trackProgress(success().build()));
} }
return trackProgress(failed().feedback("jwt-refresh-not-tom").feedbackArgs(user).build()); return ok(trackProgress(failed().feedback("jwt-refresh-not-tom").feedbackArgs(user).build()));
} catch (ExpiredJwtException e) { } catch (ExpiredJwtException e) {
return trackProgress(failed().output(e.getMessage()).build()); return ok(trackProgress(failed().output(e.getMessage()).build()));
} catch (JwtException e) { } catch (JwtException e) {
return trackProgress(failed().feedback("jwt-invalid-token").build()); return ok(trackProgress(failed().feedback("jwt-invalid-token").build()));
} }
} }
@PostMapping("/JWT/refresh/newToken") @PostMapping("/JWT/refresh/newToken")
@ResponseBody @ResponseBody
public ResponseEntity newToken(@RequestHeader("Authorization") String token, @RequestBody Map<String, Object> json) { public ResponseEntity newToken(@RequestHeader(value = "Authorization", required = false) String token,
@RequestBody(required = false) Map<String, Object> json) {
if (token == null || json == null) {
return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
}
String user; String user;
String refreshToken; String refreshToken;
try { try {
@ -112,7 +125,7 @@ public class JWTRefreshEndpoint extends AssignmentEndpoint {
return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build(); return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
} else if (validRefreshTokens.contains(refreshToken)) { } else if (validRefreshTokens.contains(refreshToken)) {
validRefreshTokens.remove(refreshToken); validRefreshTokens.remove(refreshToken);
return ResponseEntity.ok(createNewTokens(user)); return ok(createNewTokens(user));
} else { } else {
return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build(); return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
} }

18
webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTRefreshEndpointTest.java
View File

@ -195,4 +195,22 @@ public class JWTRefreshEndpointTest extends LessonTest {
.content(objectMapper.writeValueAsString(refreshJson))) .content(objectMapper.writeValueAsString(refreshJson)))
.andExpect(status().isUnauthorized()); .andExpect(status().isUnauthorized());
} }
@Test
public void noTokenWhileCheckoutShouldReturn401() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/JWT/refresh/checkout"))
.andExpect(status().isUnauthorized());
}
@Test
public void noTokenWhileRequestingNewTokenShouldReturn401() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/JWT/refresh/newToken"))
.andExpect(status().isUnauthorized());
}
@Test
public void noTokenWhileLoginShouldReturn401() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/JWT/refresh/login"))
.andExpect(status().isUnauthorized());
}
} }