fix: JWT kid/jku lessons (#1949)

* refactor: rewrite hints

Use active voice and fix grammar issues.

* fix: use Thymeleaf `th:action`

* fix: JWT kid/jku lessons

Split the JavaScript into two files they pointed to the same URL

The JWTs are now valid, they parse successfully.

The paths now include `/kid` and `/jku` to make sure the hints match accordingly in the UI. Otherwise `/delete` would pick up both hints from both assignments as the paths overlap.

Closes: #1715

* fix: update to latest pre-commit version

* fix: increase timeouts for server to start during integration tests

src/main/resources/lessons/jwt/html/JWT.html

@@ -17,7 +17,7 @@
     <div class="adoc-content" th:replace="~{doc:lessons/jwt/documentation/JWT_decode.adoc}"></div>
     <div class="attack-container">
         <img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
-        <form id="decode" class="attack-form" method="POST" name="form" action="JWT/decode">
+        <form id="decode" class="attack-form" method="POST" name="form" th:action="@{/JWT/decode}">
             <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
             <br>
             <div class="row">
@@ -53,7 +53,7 @@
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST"
               successCallback="jwtSigningCallback"
-              action="JWT/votings">
+              th:action="@{/JWT/votings}">
             <div class="container-fluid">
 
                 <div class="row">
@@ -124,7 +124,7 @@
         <div class="container-fluid">
             <form id="quiz-form" class="attack-form" accept-charset="UNKNOWN"
                   method="POST" name="form"
-                  action="JWT/quiz"
+                  th:action="@{/JWT/quiz}"
                   role="form">
                 <div id="q_container"></div>
                 <br/>
@@ -155,7 +155,7 @@
 
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-        <form class="attack-form" method="POST" name="form" action="JWT/secret">
+        <form class="attack-form" method="POST" name="form" th:action="@{/JWT/secret}">
             <div class="form-group">
                 <div class="input-group">
                     <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
@@ -192,7 +192,7 @@
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST"
               additionalHeaders="addBearerToken"
-              action="JWT/refresh/checkout">
+              th:action="@{/JWT/refresh/checkout}">
             <div class="container-fluid">
                 <div class="row">
                     <div class="col-sm-12 col-md-10 col-md-offset-1">
@@ -314,12 +314,13 @@
     <div class="adoc-content" th:replace="~{doc:lessons/jwt/documentation/JWT_claim_misuse_jku_assignment.adoc}"></div>
 
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/jwt.css}"/>
-    <script th:src="@{/lesson_js/bootstrap.min.js}" language="JavaScript"></script>
+    <script th:src="@{/lesson_js/jwt-jku.js}"></script>
+
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST"
-              action="JWT/final/delete?token=eyJ0eXAiOiJKV1QiLCJqa3UiOiJodHRwczovL2NvZ25pdG8taWRwLnVzLWVhc3QtMS5hbWF6b25hd3MuY29tL3dlYmdvYXQvLndlbGwta25vd24vandrcy5qc29uIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJXZWJHb2F0IFRva2VuIEJ1aWxkZXIiLCJpYXQiOjE1MjQyMTA5MDQsImV4cCI6MTYxODkwNTMwNCwiYXVkIjoid2ViZ29hdC5vcmciLCJzdWIiOiJqZXJyeUB3ZWJnb2F0LmNvbSIsInVzZXJuYW1lIjoiSmVycnkiLCJFbWFpbCI6ImplcnJ5QHdlYmdvYXQuY29tIiwiUm9sZSI6WyJDYXQiXX0.SabvRaYSCW7xI0ueca19TL1e66cJIJaxRiydK2G5lgFMIbL5gQQjE6022HEha9HcprqFXyHbtXrQWRXAp6Gjaf5zs8LUMBMARWjEr8TS43ihguarmLLmvBCoqjiZY39o4EcEjEH9xAoyIYR_Trh7kXn6JVU-8MM76l9IOcYIJ9c8LqT1ERNmbCqtI4PP0tdqCy99nHhqlxSCVXaGDF0jMHV5kjCDSHNYib9riy9xZ63Sztify-bwPqRvxmaShPYtG4BBM_wOGlg-BYTTuws-6yISMfTB5U1WBDwLr6dLU123TGO26wCVBgTKbA0KKG94-ToOcneWLOTEacEfQQOlIQ">
+              th:action="@{/JWT/jku/delete?token=eyJ0eXAiOiJKV1QiLCJqa3UiOiJodHRwczovL2NvZ25pdG8taWRwLnVzLWVhc3QtMS5hbWF6b25hd3MuY29tL3dlYmdvYXQvLndlbGwta25vd24vandrcy5qc29uIiwiYWxnIjoiUlMyNTYifQ.ewogICJpc3MiOiAiV2ViR29hdCBUb2tlbiBCdWlsZGVyIiwKICAiaWF0IjogMTUyNDIxMDkwNCwKICAiZXhwIjogMTYxODkwNTMwNCwKICAiYXVkIjogIndlYmdvYXQub3JnIiwKICAic3ViIjogImplcnJ5QHdlYmdvYXQuY29tIiwKICAidXNlcm5hbWUiOiAiSmVycnkiLAogICJFbWFpbCI6ICJqZXJyeUB3ZWJnb2F0LmNvbSIsCiAgIlJvbGUiOiBbCiAgICAiQ2F0IgogIF0KfQ.SabvRaYSCW7xI0ueca19TL1e66cJIJaxRiydK2G5lgFMIbL5gQQjE6022HEha9HcprqFXyHbtXrQWRXAp6Gjaf5zs8LUMBMARWjEr8TS43ihguarmLLmvBCoqjiZY39o4EcEjEH9xAoyIYR_Trh7kXn6JVU-8MM76l9IOcYIJ9c8LqT1ERNmbCqtI4PP0tdqCy99nHhqlxSCVXaGDF0jMHV5kjCDSHNYib9riy9xZ63Sztify-bwPqRvxmaShPYtG4BBM_WOGlg-bYTTuws-6yISMfTB5U1WBDwLr6dLU123TGO26wCVBgTKbA0KKG94-ToOcneWLOTEacEfQQOlIQ}">
             <div class="container-fluid">
                 <div id="toast"></div>
                 <div class="col-sm-6 col-md-4 col-lg-3 mt-4">
@@ -380,12 +381,12 @@
     <div class="adoc-content" th:replace="~{doc:lessons/jwt/documentation/JWT_claim_misuse_kid_assignment.adoc}"></div>
 
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/jwt.css}"/>
-    <script th:src="@{/lesson_js/bootstrap.min.js}" language="JavaScript"></script>
+    <script th:src="@{/lesson_js/jwt-kid.js}"></script>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST"
-              action="JWT/kid/delete?token=eyJ0eXAiOiJKV1QiLCJraWQiOiJ3ZWJnb2F0X2tleSIsImFsZyI6IkhTMjU2In0.eyJpc3MiOiJXZWJHb2F0IFRva2VuIEJ1aWxkZXIiLCJpYXQiOjE1MjQyMTA5MDQsImV4cCI6MTYxODkwNTMwNCwiYXVkIjoid2ViZ29hdC5vcmciLCJzdWIiOiJqZXJyeUB3ZWJnb2F0LmNvbSIsInVzZXJuYW1lIjoiSmVycnkiLCJFbWFpbCI6ImplcnJ5QHdlYmdvYXQuY29tIiwiUm9sZSI6WyJDYXQiXX0.CgZ27DzgVW8gzc0n6izOU638uUCi6UhiOJKYzoEZGE8">
+              th:action="@{/JWT/kid/delete?token=eyJ0eXAiOiJKV1QiLCJraWQiOiJ3ZWJnb2F0X2tleSIsImFsZyI6IkhTMjU2In0.ewogICJpc3MiOiAiV2ViR29hdCBUb2tlbiBCdWlsZGVyIiwKICAiaWF0IjogMTUyNDIxMDkwNCwKICAiZXhwIjogMTYxODkwNTMwNCwKICAiYXVkIjogIndlYmdvYXQub3JnIiwKICAic3ViIjogImplcnJ5QHdlYmdvYXQuY29tIiwKICAidXNlcm5hbWUiOiAiSmVycnkiLAogICJFbWFpbCI6ICJqZXJyeUB3ZWJnb2F0LmNvbSIsCiAgIlJvbGUiOiBbCiAgICAiQ2F0IgogIF0KfQ.CgZ27DzgVW8gzc0n6izOU638uUCi6UhiOJKYzoEZGE8}">
             <div class="container-fluid">
                 <div id="toast"></div>
                 <div class="col-sm-6 col-md-4 col-lg-3 mt-4">
@@ -421,7 +422,7 @@
                         <div class="card-footer">
                             <small>Last updated 12 days ago</small>
                             <button type="button" class="btn btn-info float-right btn-sm"
-                                    onclick="javascript:follow('Tom')">Follow
+                                    onclick="javascript:startFollowing('Tom')">Follow
                             </button>
                             <button class="btn btn-info float-right btn-sm">Delete</button>
                         </div>

src/main/resources/lessons/jwt/i18n/WebGoatLabels.properties

@@ -26,15 +26,15 @@ jwt-refresh-alg-none=Nicely found! You solved the assignment with 'alg: none' ca
 jwt-final-jerry-account=Yikes, you are removing Jerry's account, try to delete the account of Tom
 jwt-final-not-tom=Username is not Tom try to pass a token for Tom
 
-jwt-jku-hint1=Take a look at the token and specifically and the header
-jwt-jku-hint2=The 'jku' (key ID) header parameter is a hint indicating which key is used to verify the JWS
+jwt-jku-hint1=Take a look at the token and specifically at the headers
+jwt-jku-hint2=The 'jku' header parameter hints a URL pointing to a set of keys used by the server to sign the JWT.
 jwt-jku-hint3=Could you use WebWolf to host the public key as a JWKS?
 jwt-jku-hint4=Create a key pair and sign the token with the private key
-jwt-jku-hint5=Change the JKU header claim and point it to a URL which hosts the public key in JWKS format.
+jwt-jku-hint5=Change the JKU header claim and point it to a URL that hosts the public key in JWKS format.
 
-jwt-kid-hint1=Take a look at the token and specifically and the header
-jwt-kid-hint2=The 'kid' (key ID) header parameter is a hint indicating which key was used to secure the JWS
-jwt-kid-hint3=The key can be located on the filesystem in memory or even reside in the database
+jwt-kid-hint1=Take a look at the token and specifically at the headers
+jwt-kid-hint2=The 'kid' (key ID) header parameter hints at the key was used to secure the JWS
+jwt-kid-hint3=The key resides can for example, either in the filesystem in memory or the database.
 jwt-kid-hint4=The key is stored in the database and loaded while verifying a token
-jwt-kid-hint5=Using a SQL injection you might be able to manipulate the key to something you know and create a new token.
-jwt-kid-hint6=Use: hacked' UNION select 'deletingTom' from INFORMATION_SCHEMA.SYSTEM_USERS --  as the kid in the header and change the contents of the token to Tom and hit the endpoint with the new token
+jwt-kid-hint5=Using an SQL injection, you might be able to manipulate the key to a known object and create a new token.
+jwt-kid-hint6=Use: hacked' UNION select 'deletingTom' from INFORMATION_SCHEMA.SYSTEM_USERS --  as the kid in the header change the contents of the token to Tom and hit the endpoint with the new token

src/main/resources/lessons/jwt/js/jwt-jku.js

@@ -1,7 +1,7 @@
 function follow(user) {
     $.ajax({
         type: 'POST',
-        url: 'JWT/final/follow/' + user
+        url: 'JWT/kid/follow/' + user
     }).then(function (result) {
         $("#toast").append(result);
     })

src/main/resources/lessons/jwt/js/jwt-kid.js

@@ -0,0 +1,8 @@
+function startFollowing(user) {
+    $.ajax({
+        type: 'POST',
+        url: 'JWT/kid/follow/' + user
+    }).then(function (result) {
+        $("#toast").append(result);
+    })
+}