diff --git a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java b/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java index ec44e9756..4aafa0ad1 100644 --- a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java +++ b/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java @@ -22,27 +22,6 @@ package org.owasp.webgoat.jwt; -import java.nio.charset.StandardCharsets; -import java.security.InvalidKeyException; -import java.security.NoSuchAlgorithmException; -import java.sql.ResultSet; -import java.sql.SQLException; - -import javax.crypto.Mac; -import javax.crypto.spec.SecretKeySpec; -import javax.sql.DataSource; - -import org.apache.commons.lang3.StringUtils; -import org.owasp.webgoat.assignments.AssignmentEndpoint; -import org.owasp.webgoat.assignments.AssignmentHints; -import org.owasp.webgoat.assignments.AttackResult; -import org.springframework.http.MediaType; -import org.springframework.web.bind.annotation.PathVariable; -import org.springframework.web.bind.annotation.PostMapping; -import org.springframework.web.bind.annotation.RequestParam; -import org.springframework.web.bind.annotation.ResponseBody; -import org.springframework.web.bind.annotation.RestController; - import io.jsonwebtoken.Claims; import io.jsonwebtoken.JwsHeader; import io.jsonwebtoken.Jwt; @@ -50,6 +29,19 @@ import io.jsonwebtoken.JwtException; import io.jsonwebtoken.Jwts; import io.jsonwebtoken.SigningKeyResolverAdapter; import io.jsonwebtoken.impl.TextCodec; +import org.apache.commons.lang3.StringUtils; +import org.owasp.webgoat.assignments.AssignmentEndpoint; +import org.owasp.webgoat.assignments.AssignmentHints; +import org.owasp.webgoat.assignments.AttackResult; +import org.springframework.web.bind.annotation.PathVariable; +import org.springframework.web.bind.annotation.PostMapping; +import org.springframework.web.bind.annotation.RequestParam; +import org.springframework.web.bind.annotation.ResponseBody; +import org.springframework.web.bind.annotation.RestController; + +import javax.sql.DataSource; +import java.sql.ResultSet; +import java.sql.SQLException; /** *
diff --git a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTQuiz.java b/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTQuiz.java new file mode 100644 index 000000000..19817b7eb --- /dev/null +++ b/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTQuiz.java @@ -0,0 +1,52 @@ +package org.owasp.webgoat.jwt; + +import org.owasp.webgoat.assignments.AssignmentEndpoint; +import org.owasp.webgoat.assignments.AttackResult; +import org.springframework.web.bind.annotation.GetMapping; +import org.springframework.web.bind.annotation.PostMapping; +import org.springframework.web.bind.annotation.RequestParam; +import org.springframework.web.bind.annotation.ResponseBody; +import org.springframework.web.bind.annotation.RestController; + +import java.io.IOException; + +@RestController +public class JWTQuiz extends AssignmentEndpoint { + + private final String[] solutions = {"Solution 1", "Solution 2"}; + private final boolean[] guesses = new boolean[solutions.length]; + + @PostMapping("/JWT/quiz") + @ResponseBody + public AttackResult completed(@RequestParam String[] question_0_solution, @RequestParam String[] question_1_solution) { + int correctAnswers = 0; + + String[] givenAnswers = {question_0_solution[0], question_1_solution[0]}; + + for (int i = 0; i < solutions.length; i++) { + if (givenAnswers[i].contains(solutions[i])) { + // answer correct + correctAnswers++; + guesses[i] = true; + } else { + // answer incorrect + guesses[i] = false; + } + } + + if (correctAnswers == solutions.length) { + return success(this).build(); + } else { + return failed(this).build(); + } + } + + + + @GetMapping("/JWT/quiz") + @ResponseBody + public boolean[] getResults() { + return this.guesses; + } + +} diff --git a/webgoat-lessons/jwt/src/main/resources/html/JWT.html b/webgoat-lessons/jwt/src/main/resources/html/JWT.html index 323832b61..416f28ab6 100644 --- a/webgoat-lessons/jwt/src/main/resources/html/JWT.html +++ b/webgoat-lessons/jwt/src/main/resources/html/JWT.html @@ -62,7 +62,7 @@