dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5357a65e054976cd7d79b81ef3906ded050ed921
WebGoat/src/main/resources/lessons/jwt/i18n/WebGoatLabels.properties
Nanne Baars a9b1fd66b8 feat: implement JWT jku example (#1552) 
Closes #1539
2023-08-08 17:18:22 +02:00

41 lines
3.0 KiB
Properties
Raw Blame History

jwt.title=JWT tokens
#Assignment changing tokens
jwt-user=You are logged in as {0}, but you are not an admin yet, please try again
jwt-invalid-token=Not a valid JWT token, please try again
jwt-only-admin=Only an admin user can reset the votes
jwt-change-token-hint1=Select a different user and look at the token you receive back, use the delete button to reset the votes count
jwt-change-token-hint2=Decode the token and look at the contents
jwt-change-token-hint3=Change the contents of the token and replace the cookie before sending the request for getting the votes
jwt-change-token-hint4=Change the admin field to true in the token
jwt-change-token-hint5=Submit the token by changing the algorithm to None and remove the signature
jwt-secret-hint1=Save the token and try to verify the token locally
jwt-secret-hint2=Download a word list dictionary (https://github.com/first20hours/google-10000-english)
jwt-secret-hint3=Write a small program or use HashCat for brute forcing the token according the word list
jwt-secret-claims-missing=You are missing some claims, you should keep all the claims in the token
jwt-secret-incorrect-user=The user is {0}, you need to change it to WebGoat
jwt-refresh-hint1=Look at the access log you will find a token there
jwt-refresh-hint2=The token from the access log is no longer valid, can you find a way to refresh it?
jwt-refresh-hint3=The endpoint for refreshing a token is 'JWT/refresh/newToken'
jwt-refresh-hint4=Use the found access token in the Authorization: Bearer header and use your own refresh token
jwt-refresh-not-tom=User is not Tom but {0}, please try again
jwt-refresh-alg-none=Nicely found! You solved the assignment with 'alg: none' can you also solve it by using the refresh token?
jwt-final-jerry-account=Yikes, you are removing Jerry's account, try to delete the account of Tom
jwt-final-not-tom=Username is not Tom try to pass a token for Tom
jwt-jku-hint1=Take a look at the token and specifically and the header
jwt-jku-hint2=The 'jku' (key ID) header parameter is a hint indicating which key is used to verify the JWS
jwt-jku-hint3=Could you use WebWolf to host the public key as a JWKS?
jwt-jku-hint4=Create a key pair and sign the token with the private key
jwt-jku-hint5=Change the JKU header claim and point it to a URL which hosts the public key in JWKS format.
jwt-kid-hint1=Take a look at the token and specifically and the header
jwt-kid-hint2=The 'kid' (key ID) header parameter is a hint indicating which key was used to secure the JWS
jwt-kid-hint3=The key can be located on the filesystem in memory or even reside in the database
jwt-kid-hint4=The key is stored in the database and loaded while verifying a token
jwt-kid-hint5=Using a SQL injection you might be able to manipulate the key to something you know and create a new token.
jwt-kid-hint6=Use: hacked' UNION select 'deletingTom' from INFORMATION_SCHEMA.SYSTEM_USERS -- as the kid in the header and change the contents of the token to Tom and hit the endpoint with the new token
Reference in New Issue View Git Blame Copy Permalink