Java代码审计入门：WebGoat8（再会）(10)_卜八电脑最全问题故障中心

将token丢到

Java代码审计入门：WebGoat8（再会）

原始JWT parser后：

header { "typ": "JWT", ** "kid": "webgoat_key",** "alg": "HS256" } payload { "iss": "WebGoat Token Builder", "iat": 1524210904, "exp": 1618905304, "aud": "webgoat.org", "sub": "jerry@webgoat.com", ** "username": "Jerry",** "Email": "jerry@webgoat.com", "Role": [ "Cat" ] }

查看代码：

@AssignmentPath("/JWT/final") @AssignmentHints({"jwt-final-hint1", "jwt-final-hint2", "jwt-final-hint3", "jwt-final-hint4", "jwt-final-hint5", "jwt-final-hint6"}) public class JWTFinalEndpoint extends AssignmentEndpoint { @Autowired private WebSession webSession; @PostMapping("follow/{user}") public @ResponseBody String follow(@PathVariable("user") String user) { if ("Jerry".equals(user)) { return "Following yourself seems redundant"; } else { return "You are now following Tom"; } } @PostMapping("delete") public @ResponseBody AttackResult resetVotes(@RequestParam("token") String token) { if (StringUtils.isEmpty(token)) { return trackProgress(failed().feedback("jwt-invalid-token").build()); } else { try { final String[] errorMessage = {null}; Jwt jwt = Jwts.parser().setSigningKeyResolver(new SigningKeyResolverAdapter() { @Override public byte[] resolveSigningKeyBytes(JwsHeader header, Claims claims) { final String kid = (String) header.get("kid"); try { Connection connection = DatabaseUtilities.getConnection(webSession); ResultSet rs = connection.createStatement().executeQuery("SELECT key FROM jwt_keys WHERE id = '" + kid + "'"); while (rs.next()) { return TextCodec.BASE64.decode(rs.getString(1)); } } catch (SQLException e) { errorMessage[0] = e.getMessage(); } return null; } }).parseClaimsJws(token); if (errorMessage[0] != null) { return trackProgress(failed().output(errorMessage[0]).build()); } Claims claims = (Claims) jwt.getBody(); String username = (String) claims.get("username"); if ("Jerry".equals(username)) { return trackProgress(failed().feedback("jwt-final-jerry-account").build()); } if ("Tom".equals(username)) { return trackProgress(success().build()); } else { return trackProgress(failed().feedback("jwt-final-not-tom").build()); } } catch (JwtException e) { return trackProgress(failed().feedback("jwt-invalid-token").output(e.toString()).build()); } } } }

重点关注resetVotes方法：

校验参数token是否为空

解析token：

Jwts.parser().setSigningKeyResolver(自定义方法获取签名KEY).parseClaimsJws(token);

自定义方法：

从JwsHeader中获取“kid”直接插入sql查询语句中，存在sql injection，将查看结果返回作为KEY进行解析。