Initial version for JWT

2018-04-23 11:09:30 +02:00
parent 63ca11a1bb
commit ea9c1a453d
25 changed files with 690 additions and 35 deletions
--- a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFConfirmFlag1.java
+++ b/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFConfirmFlag1.java
@ -6,12 +6,9 @@ import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.session.UserSessionData;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.ResponseBody;

-import javax.servlet.http.HttpServletRequest;
-
 /**
 * Created by jason on 9/29/17.
 */
--- a/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_JSON.adoc
+++ b/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_JSON.adoc
@ -3,7 +3,7 @@
 A lot of web applications implement no protection against CSRF they are somehow protected by the fact that
 they only work with `application/json` as content type. The only way to make a request with this content-type from the
 browser is with a XHR request. Before the browser can make such a request a preflight request will be made towards
-the server (remember the CSRF request will be cross origin). If the preflight response does not allow the cross origin
+the server (remember the CSRF request will be cross origin). If the pre-flight response does not allow the cross origin
 request the browser will not make the call.

 To make a long answer short: this is *not* a valid protection against CSRF.