主页 > 网络知识 > Java代码审计入门:WebGoat8(再会)(9)

Java代码审计入门:WebGoat8(再会)(9)

仅校验是否存在user和refreshToken,未校验两者对应关系,导致漏洞产生。

//刷新 token @PostMapping("newToken") public @ResponseBody ResponseEntity newToken(@RequestHeader("Authorization") String token, @RequestBody Map<String, Object> json) { String user; String refreshToken; try { Jwt<Header, Claims> jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", "")); user = (String) jwt.getBody().get("user"); refreshToken = (String) json.get("refresh_token"); } catch (ExpiredJwtException e) { user = (String) e.getClaims().get("user"); refreshToken = (String) json.get("refresh_token"); } //仅校验是否存在user和refreshToken,未校验两者对应关系,存在漏洞 if (user == null || refreshToken == null) { return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build(); } else if (validRefreshTokens.contains(refreshToken)) { validRefreshTokens.remove(refreshToken); //返回JWT user的新token return ResponseEntity.ok(createNewTokens(user)); } else { return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build(); } }

思路:

从logfile中获取到Tom到过期JWT

利用账号密码:Jerry/bm5nhSkxCXZkKRy4 拿到Jerry账号的refresh token

利用Jerry的refresh token 和Tom的过期access token去刷新一下

拿到刷新后的token 结账

从logfile中获取到Tom到过期JWT 

 

Java代码审计入门:WebGoat8(再会)

 

利用账号密码:Jerry/bm5nhSkxCXZkKRy4 拿到refresh token   

账号密码从源码中可得 

Java代码审计入门:WebGoat8(再会)

 

利用Jerry的refresh token和Tom的过期access token 去刷新。 

Java代码审计入门:WebGoat8(再会)

 

拿到刷新后的access_token 结账 

Java代码审计入门:WebGoat8(再会)

 

总结:

当使用refresh_token机制时,服务器端存储足够的信息,以验证用户是否仍然受信任。(存储IP地址,跟踪使用refresh token的次数及是否在access_token过期后使用等等的信息)

当存在JWT泄漏和越权刷新JWT漏洞时,将会是个灾难。

Final challenges

接下来,我们看到Tom and Jerry,我们是Jerry的账号,想把Tom的账号删掉。 

Java代码审计入门:WebGoat8(再会)

点击Tom下方的Delete,截取报文:

 

POST /WebGoat/JWT/final/delete?token=eyJ0eXAiOiJKV1QiLCJraWQiOiJ3ZWJnb2F0X2tleSIsImFsZyI6IkhTMjU2In0.eyJpc3MiOiJXZWJHb2F0IFRva2VuIEJ1aWxkZXIiLCJpYXQiOjE1MjQyMTA5MDQsImV4cCI6MTYxODkwNTMwNCwiYXVkIjoid2ViZ29hdC5vcmciLCJzdWIiOiJqZXJyeUB3ZWJnb2F0LmNvbSIsInVzZXJuYW1lIjoiSmVycnkiLCJFbWFpbCI6ImplcnJ5QHdlYmdvYXQuY29tIiwiU**sZSI6WyJDYXQiXX0.CgZ27DzgVW8gzc0n6izOU638uUCi6UhiOJKYzoEZGE8 HTTP/1.1 Host: 127.0.0.1:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Connection: close Referer: :8080/WebGoat/start.mvc Cookie: JSESSIONID=IdCcPJUZYU_2PTrz3wiXbJkNfyoJktHX2tbNhiab; JSESSIONID.3f016d14=node01p93mn1law5to1bzrhlqsjmjcz4.node0; screenResolution=1680x1050 Content-Length: 0
说点什么吧
  • 全部评论(0
    还没有评论,快来抢沙发吧!