主页 > 网络知识 > Java代码审计入门:WebGoat8(再会)(8)

Java代码审计入门:WebGoat8(再会)(8)

是属于Tom,exp的时间是2018年(已过期)。 

Java代码审计入门:WebGoat8(再会)

使用logfile中的token直接checkout,返回已过期提示。(Authorization头根据源码构造,Bearer 可加可不加。 )

 

代码:

Java代码审计入门:WebGoat8(再会)

JWTRefreshEndpoint.java

 

package org.owasp.webgoat.plugin; import com.google.common.collect.Lists; import com.google.common.collect.Maps; import io.jsonwebtoken.*; import org.apache.commons.lang3.RandomStringUtils; import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentHints; import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AttackResult; import org.owasp.webgoat.session.WebSession; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.http.HttpStatus; import org.springframework.http.MediaType; import org.springframework.http.ResponseEntity; import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.RequestBody; import org.springframework.web.bind.annotation.RequestHeader; import org.springframework.web.bind.annotation.ResponseBody; import java.util.Date; import java.util.List; import java.util.Map; import java.util.concurrent.TimeUnit; /** * @author nbaars * @since 4/23/17. */ @AssignmentPath("/JWT/refresh/") @AssignmentHints({"jwt-refresh-hint1", "jwt-refresh-hint2", "jwt-refresh-hint3", "jwt-refresh-hint4"}) public class JWTRefreshEndpoint extends AssignmentEndpoint { public static final String PASSWORD = "bm5nhSkxCXZkKRy4"; private static final String JWT_PASSWORD = "bm5n3SkxCX4kKRy4"; private static final List<String> validRefreshTokens = Lists.newArrayList(); //登陆模块 @PostMapping(value = "login", consumes = MediaType.APPLICATION_JSON_VALUE, produces = MediaType.APPLICATION_JSON_VALUE) public @ResponseBody ResponseEntity follow(@RequestBody Map<String, Object> json) { String user = (String) json.get("user"); String password = (String) json.get("password"); //验证用户名Jerry和秘密 if ("Jerry".equals(user) && PASSWORD.equals(password)) { //通过则颁发token return ResponseEntity.ok(createNewTokens(user)); } return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build(); } //创建token模块 private Map<String, Object> createNewTokens(String user) { Map<String, Object> claims = Maps.newHashMap(); claims.put("admin", "false"); claims.put("user", user); String token = Jwts.builder() .setIssuedAt(new Date(System.currentTimeMillis() + TimeUnit.DAYS.toDays(10))) .setClaims(claims) .signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD) .compact(); Map<String, Object> tokenJson = Maps.newHashMap(); String refreshToken = RandomStringUtils.randomAlphabetic(20); validRefreshTokens.add(refreshToken); tokenJson.put("access_token", token); tokenJson.put("refresh_token", refreshToken); return tokenJson; } //checkout模块 @PostMapping("checkout") public @ResponseBody AttackResult checkout(@RequestHeader("Authorization") String token) { try { Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", "")); Claims claims = (Claims) jwt.getBody(); String user = (String) claims.get("user"); if ("Tom".equals(user)) { return trackProgress(success().build()); } return trackProgress(failed().feedback("jwt-refresh-not-tom").feedbackArgs(user).build()); } catch (ExpiredJwtException e) { return trackProgress(failed().output(e.getMessage()).build()); } catch (JwtException e) { return trackProgress(failed().feedback("jwt-invalid-token").build()); } } //刷新 token @PostMapping("newToken") public @ResponseBody ResponseEntity newToken(@RequestHeader("Authorization") String token, @RequestBody Map<String, Object> json) { String user; String refreshToken; try { Jwt<Header, Claims> jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", "")); user = (String) jwt.getBody().get("user"); refreshToken = (String) json.get("refresh_token"); } catch (ExpiredJwtException e) { user = (String) e.getClaims().get("user"); refreshToken = (String) json.get("refresh_token"); } //仅校验是否存在user和refreshToken,未校验两者对应关系,存在漏洞 if (user == null || refreshToken == null) { return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build(); } else if (validRefreshTokens.contains(refreshToken)) { validRefreshTokens.remove(refreshToken); return ResponseEntity.ok(createNewTokens(user)); } else { return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build(); } } }

存在问题的代码块: 

说点什么吧
  • 全部评论(0
    还没有评论,快来抢沙发吧!

您可能还会对这些文章感兴趣!