dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
WebGoat/webgoat-lessons/jwt/src/main/resources/i18n/WebGoatLabels.properties
Nanne Baars e0cf5b4a84 Removed under construction from JWT lesson
2018-05-23 14:28:19 +02:00

31 lines
2.2 KiB
Properties
Raw Blame History

jwt.title=JWT tokens
#Assignment changing tokens
jwt-user=You are logged in as {0}, but you are not an admin yet, please try again
jwt-invalid-token=Not a valid JWT token, please try again
jwt-only-admin=Only an admin user can reset the votes
jwt-change-token-hint1=Select a different user and look at the token you receive back, use the delete button to reset the votes count
jwt-change-token-hint2=Decode the token and look at the contents
jwt-change-token-hint3=Change the contents of the token and replace the cookie before sending the request for getting the votes
jwt-change-token-hint4=Change the admin field to true in the token
jwt-change-token-hint5=Submit the token by changing the algorithm to None and remove the signature
jwt-secret-hint1=Save the token and try to verify the token locally
jwt-secret-hint2=Download a word list dictionary (https://github.com/first20hours/google-10000-english)
jwt-secret-hint3=Write a small program or use HashCat for brute forcing the token according the word list
jwt-refresh-hint1=Look at the access log you will find a token there
jwt-refresh-hint2=The token from the access log is no longer valid, can you find a way to refresh it?
jwt-refresh-hint3=The endpoint for refreshing a token is 'jwt/refresh/newToken'
jwt-refresh-hint4=Use the found access token in the Authorization: Bearer header and use your refresh token
jwt-refresh-not-tom=User is not Tom but {0}, please try again
jwt-final-jerry-account=Yikes, you are removing Jerry's account, try to delete the account of Tom
jwt-final-not-tom=Username is not Tom try to pass a token for Tom
jwt-final-hint1=Take a look at the token and specifically and the header
jwt-final-hint2=The 'kid' (key ID) header parameter is a hint indicating which key was used to secure the JWS
jwt-final-hint3=The key can be located on the filesystem in memory or even reside in the database
jwt-final-hint4=The key is stored in the database and loaded while verifying a token
jwt-final-hint5=Using a SQL injection you might be able to manipulate the key to something you know and create a new token.
jwt-final-hint6=Use: hacked' UNION select 'deletingTom' from INFORMATION_SCHEMA.SYSTEM_USERS -- as the kid in the header and change the contents of the token to Tom and hit the endpoint with the new token
Reference in New Issue View Git Blame Copy Permalink