feature: Add extra feedback once someone solves JWT refresh lesson differently
One can solve this lesson by using `alg:none` instead of using the refresh token flow. Instead of adding a check to force using the refresh token we opt for giving the user extra feedback.
This commit is contained in:
		| @ -22,7 +22,12 @@ | ||||
|  | ||||
| package org.owasp.webgoat.lessons.jwt; | ||||
|  | ||||
| import io.jsonwebtoken.*; | ||||
| import io.jsonwebtoken.Claims; | ||||
| import io.jsonwebtoken.JwsHeader; | ||||
| import io.jsonwebtoken.Jwt; | ||||
| import io.jsonwebtoken.JwtException; | ||||
| import io.jsonwebtoken.Jwts; | ||||
| import io.jsonwebtoken.SigningKeyResolverAdapter; | ||||
| import io.jsonwebtoken.impl.TextCodec; | ||||
| import java.sql.ResultSet; | ||||
| import java.sql.SQLException; | ||||
| @ -31,34 +36,12 @@ import org.owasp.webgoat.container.LessonDataSource; | ||||
| import org.owasp.webgoat.container.assignments.AssignmentEndpoint; | ||||
| import org.owasp.webgoat.container.assignments.AssignmentHints; | ||||
| import org.owasp.webgoat.container.assignments.AttackResult; | ||||
| import org.springframework.web.bind.annotation.*; | ||||
| import org.springframework.web.bind.annotation.PathVariable; | ||||
| import org.springframework.web.bind.annotation.PostMapping; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.bind.annotation.RestController; | ||||
|  | ||||
| /** | ||||
|  * | ||||
|  * | ||||
|  * <pre> | ||||
|  *  { | ||||
|  *      "typ": "JWT", | ||||
|  *      "kid": "webgoat_key", | ||||
|  *      "alg": "HS256" | ||||
|  *  } | ||||
|  *  { | ||||
|  *       "iss": "WebGoat Token Builder", | ||||
|  *       "iat": 1524210904, | ||||
|  *       "exp": 1618905304, | ||||
|  *       "aud": "webgoat.org", | ||||
|  *       "sub": "jerry@webgoat.com", | ||||
|  *       "username": "Jerry", | ||||
|  *       "Email": "jerry@webgoat.com", | ||||
|  *       "Role": [ | ||||
|  *       "Cat" | ||||
|  *       ] | ||||
|  *  } | ||||
|  * </pre> | ||||
|  * | ||||
|  * @author nbaars | ||||
|  * @since 4/23/17. | ||||
|  */ | ||||
| @RestController | ||||
| @AssignmentHints({ | ||||
|   "jwt-final-hint1", | ||||
|  | ||||
| @ -49,10 +49,6 @@ import org.springframework.web.bind.annotation.RequestHeader; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.bind.annotation.RestController; | ||||
|  | ||||
| /** | ||||
|  * @author nbaars | ||||
|  * @since 4/23/17. | ||||
|  */ | ||||
| @RestController | ||||
| @AssignmentHints({ | ||||
|   "jwt-refresh-hint1", | ||||
| @ -85,9 +81,7 @@ public class JWTRefreshEndpoint extends AssignmentEndpoint { | ||||
|   } | ||||
|  | ||||
|   private Map<String, Object> createNewTokens(String user) { | ||||
|     Map<String, Object> claims = new HashMap<>(); | ||||
|     claims.put("admin", "false"); | ||||
|     claims.put("user", user); | ||||
|     Map<String, Object> claims = Map.of("admin", "false", "user", user); | ||||
|     String token = | ||||
|         Jwts.builder() | ||||
|             .setIssuedAt(new Date(System.currentTimeMillis() + TimeUnit.DAYS.toDays(10))) | ||||
| @ -114,6 +108,9 @@ public class JWTRefreshEndpoint extends AssignmentEndpoint { | ||||
|       Claims claims = (Claims) jwt.getBody(); | ||||
|       String user = (String) claims.get("user"); | ||||
|       if ("Tom".equals(user)) { | ||||
|         if ("none".equals(jwt.getHeader().get("alg"))) { | ||||
|           return ok(success(this).feedback("jwt-refresh-alg-none").build()); | ||||
|         } | ||||
|         return ok(success(this).build()); | ||||
|       } | ||||
|       return ok(failed(this).feedback("jwt-refresh-not-tom").feedbackArgs(user).build()); | ||||
|  | ||||
| @ -42,10 +42,6 @@ import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.bind.annotation.RestController; | ||||
|  | ||||
| /** | ||||
|  * @author nbaars | ||||
|  * @since 4/23/17. | ||||
|  */ | ||||
| @RestController | ||||
| @AssignmentHints({"jwt-secret-hint1", "jwt-secret-hint2", "jwt-secret-hint3"}) | ||||
| public class JWTSecretKeyEndpoint extends AssignmentEndpoint { | ||||
|  | ||||
| @ -58,10 +58,6 @@ import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.bind.annotation.ResponseStatus; | ||||
| import org.springframework.web.bind.annotation.RestController; | ||||
|  | ||||
| /** | ||||
|  * @author nbaars | ||||
|  * @since 4/23/17. | ||||
|  */ | ||||
| @RestController | ||||
| @AssignmentHints({ | ||||
|   "jwt-change-token-hint1", | ||||
|  | ||||
| @ -21,6 +21,7 @@ jwt-refresh-hint2=The token from the access log is no longer valid, can you find | ||||
| jwt-refresh-hint3=The endpoint for refreshing a token is 'JWT/refresh/newToken' | ||||
| jwt-refresh-hint4=Use the found access token in the Authorization: Bearer header and use your own refresh token | ||||
| jwt-refresh-not-tom=User is not Tom but {0}, please try again | ||||
| jwt-refresh-alg-none=Nicely found! You solved the assignment with 'alg: none' can you also solve it by using the refresh token? | ||||
|  | ||||
| jwt-final-jerry-account=Yikes, you are removing Jerry's account, try to delete the account of Tom  | ||||
| jwt-final-not-tom=Username is not Tom try to pass a token for Tom | ||||
| @ -30,4 +31,4 @@ jwt-final-hint2=The 'kid' (key ID) header parameter is a hint indicating which k | ||||
| jwt-final-hint3=The key can be located on the filesystem in memory or even reside in the database | ||||
| jwt-final-hint4=The key is stored in the database and loaded while verifying a token | ||||
| jwt-final-hint5=Using a SQL injection you might be able to manipulate the key to something you know and create a new token. | ||||
| jwt-final-hint6=Use: hacked' UNION select 'deletingTom' from INFORMATION_SCHEMA.SYSTEM_USERS --  as the kid in the header and change the contents of the token to Tom and hit the endpoint with the new token | ||||
| jwt-final-hint6=Use: hacked' UNION select 'deletingTom' from INFORMATION_SCHEMA.SYSTEM_USERS --  as the kid in the header and change the contents of the token to Tom and hit the endpoint with the new token | ||||
|  | ||||
| @ -29,6 +29,7 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers. | ||||
| import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; | ||||
|  | ||||
| import com.fasterxml.jackson.databind.ObjectMapper; | ||||
| import io.jsonwebtoken.Jwts; | ||||
| import java.util.HashMap; | ||||
| import java.util.Map; | ||||
| import org.hamcrest.CoreMatchers; | ||||
| @ -43,14 +44,14 @@ import org.springframework.test.web.servlet.setup.MockMvcBuilders; | ||||
| public class JWTRefreshEndpointTest extends LessonTest { | ||||
|  | ||||
|   @BeforeEach | ||||
|   public void setup() { | ||||
|   void setup() { | ||||
|     when(webSession.getCurrentLesson()).thenReturn(new JWT()); | ||||
|     this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build(); | ||||
|     when(webSession.getUserName()).thenReturn("unit-test"); | ||||
|   } | ||||
|  | ||||
|   @Test | ||||
|   public void solveAssignment() throws Exception { | ||||
|   void solveAssignment() throws Exception { | ||||
|     ObjectMapper objectMapper = new ObjectMapper(); | ||||
|  | ||||
|     // First login to obtain tokens for Jerry | ||||
| @ -96,7 +97,26 @@ public class JWTRefreshEndpointTest extends LessonTest { | ||||
|   } | ||||
|  | ||||
|   @Test | ||||
|   public void checkoutWithTomsTokenFromAccessLogShouldFail() throws Exception { | ||||
|   void solutionWithAlgNone() throws Exception { | ||||
|     String tokenWithNoneAlgorithm = | ||||
|         Jwts.builder() | ||||
|             .setHeaderParam("alg", "none") | ||||
|             .addClaims(Map.of("admin", "true", "user", "Tom")) | ||||
|             .compact(); | ||||
|  | ||||
|     // Now checkout with the new token from Tom | ||||
|     mockMvc | ||||
|         .perform( | ||||
|             MockMvcRequestBuilders.post("/JWT/refresh/checkout") | ||||
|                 .header("Authorization", "Bearer " + tokenWithNoneAlgorithm)) | ||||
|         .andExpect(status().isOk()) | ||||
|         .andExpect(jsonPath("$.lessonCompleted", is(true))) | ||||
|         .andExpect( | ||||
|             jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("jwt-refresh-alg-none")))); | ||||
|   } | ||||
|  | ||||
|   @Test | ||||
|   void checkoutWithTomsTokenFromAccessLogShouldFail() throws Exception { | ||||
|     String accessTokenTom = | ||||
|         "eyJhbGciOiJIUzUxMiJ9.eyJpYXQiOjE1MjYxMzE0MTEsImV4cCI6MTUyNjIxNzgxMSwiYWRtaW4iOiJmYWxzZSIsInVzZXIiOiJUb20ifQ.DCoaq9zQkyDH25EcVWKcdbyVfUL4c9D4jRvsqOqvi9iAd4QuqmKcchfbU8FNzeBNF9tLeFXHZLU4yRkq-bjm7Q"; | ||||
|     mockMvc | ||||
| @ -108,7 +128,7 @@ public class JWTRefreshEndpointTest extends LessonTest { | ||||
|   } | ||||
|  | ||||
|   @Test | ||||
|   public void checkoutWitRandomTokenShouldFail() throws Exception { | ||||
|   void checkoutWitRandomTokenShouldFail() throws Exception { | ||||
|     String accessTokenTom = | ||||
|         "eyJhbGciOiJIUzUxMiJ9.eyJpLXQiOjE1MjYxMzE0MTEsImV4cCI6MTUyNjIxNzgxMSwiYWRtaW4iOiJmYWxzZSIsInVzZXIiOiJUb20ifQ.DCoaq9zQkyDH25EcVWKcdbyVfUL4c9D4jRvsqOqvi9iAd4QuqmKcchfbU8FNzeBNF9tLeFXHZLU4yRkq-bjm7Q"; | ||||
|     mockMvc | ||||
| @ -121,7 +141,7 @@ public class JWTRefreshEndpointTest extends LessonTest { | ||||
|   } | ||||
|  | ||||
|   @Test | ||||
|   public void flowForJerryAlwaysWorks() throws Exception { | ||||
|   void flowForJerryAlwaysWorks() throws Exception { | ||||
|     ObjectMapper objectMapper = new ObjectMapper(); | ||||
|  | ||||
|     var loginJson = Map.of("user", "Jerry", "password", PASSWORD); | ||||
| @ -146,7 +166,7 @@ public class JWTRefreshEndpointTest extends LessonTest { | ||||
|   } | ||||
|  | ||||
|   @Test | ||||
|   public void loginShouldNotWorkForJerryWithWrongPassword() throws Exception { | ||||
|   void loginShouldNotWorkForJerryWithWrongPassword() throws Exception { | ||||
|     ObjectMapper objectMapper = new ObjectMapper(); | ||||
|  | ||||
|     var loginJson = Map.of("user", "Jerry", "password", PASSWORD + "wrong"); | ||||
| @ -159,7 +179,7 @@ public class JWTRefreshEndpointTest extends LessonTest { | ||||
|   } | ||||
|  | ||||
|   @Test | ||||
|   public void loginShouldNotWorkForTom() throws Exception { | ||||
|   void loginShouldNotWorkForTom() throws Exception { | ||||
|     ObjectMapper objectMapper = new ObjectMapper(); | ||||
|  | ||||
|     var loginJson = Map.of("user", "Tom", "password", PASSWORD); | ||||
| @ -172,7 +192,7 @@ public class JWTRefreshEndpointTest extends LessonTest { | ||||
|   } | ||||
|  | ||||
|   @Test | ||||
|   public void newTokenShouldWorkForJerry() throws Exception { | ||||
|   void newTokenShouldWorkForJerry() throws Exception { | ||||
|     ObjectMapper objectMapper = new ObjectMapper(); | ||||
|     Map<String, Object> loginJson = new HashMap<>(); | ||||
|     loginJson.put("user", "Jerry"); | ||||
| @ -201,7 +221,7 @@ public class JWTRefreshEndpointTest extends LessonTest { | ||||
|   } | ||||
|  | ||||
|   @Test | ||||
|   public void unknownRefreshTokenShouldGiveUnauthorized() throws Exception { | ||||
|   void unknownRefreshTokenShouldGiveUnauthorized() throws Exception { | ||||
|     ObjectMapper objectMapper = new ObjectMapper(); | ||||
|     Map<String, Object> loginJson = new HashMap<>(); | ||||
|     loginJson.put("user", "Jerry"); | ||||
| @ -229,21 +249,21 @@ public class JWTRefreshEndpointTest extends LessonTest { | ||||
|   } | ||||
|  | ||||
|   @Test | ||||
|   public void noTokenWhileCheckoutShouldReturn401() throws Exception { | ||||
|   void noTokenWhileCheckoutShouldReturn401() throws Exception { | ||||
|     mockMvc | ||||
|         .perform(MockMvcRequestBuilders.post("/JWT/refresh/checkout")) | ||||
|         .andExpect(status().isUnauthorized()); | ||||
|   } | ||||
|  | ||||
|   @Test | ||||
|   public void noTokenWhileRequestingNewTokenShouldReturn401() throws Exception { | ||||
|   void noTokenWhileRequestingNewTokenShouldReturn401() throws Exception { | ||||
|     mockMvc | ||||
|         .perform(MockMvcRequestBuilders.post("/JWT/refresh/newToken")) | ||||
|         .andExpect(status().isUnauthorized()); | ||||
|   } | ||||
|  | ||||
|   @Test | ||||
|   public void noTokenWhileLoginShouldReturn401() throws Exception { | ||||
|   void noTokenWhileLoginShouldReturn401() throws Exception { | ||||
|     mockMvc | ||||
|         .perform(MockMvcRequestBuilders.post("/JWT/refresh/login")) | ||||
|         .andExpect(status().isUnauthorized()); | ||||
|  | ||||
		Reference in New Issue
	
	Block a user