suggested modifications in the comments

Author: aranhams

owasp-top10-2021-apps/a1/camplake-api/README.md

@@ -66,7 +66,7 @@ curl -s -H "Content-Type: application/json" -d '{"username":"campLakeAdmin","pas
 With the created user, we will login to the application with their credentials to get the JWT token. As it is a test application, the JWT token is returned to the user as soon as he is logged in.
 
 ```sh
-curl -s -H "Content-Type: application/json" -d '{"username":"campLakeAdmin","password":"campLake2021"}' http://localhost:10007/login
+curl -s -H "Content-Type: application/json" -d '{"username":"campLakeAdmin","password":"campLake2021"}' http://localhost:20001/login
 ```
 
 <p align="center">
@@ -92,22 +92,24 @@ curl -s -H 'Content-Type: application/json' -H 'Authorization: Bearer eyJhbGciOi
 However, the API does not verify the signature used by the JWT token, any malicious user can create a fake token, as shown by the image:
 
 <p align="center">
-    <img src="images/attack_6.png"/>
+    <img src="images/attack_5.png"/>
 </p>
 
 ```sh
 curl -s -H 'Content-Type: application/json' -H 'Authorization: Bearer eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VybmFtZSI6Imphc29uVm9vcmhlc3MiLCJleHAiOjE2MzMzODM1ODZ9.' -d '{"title": "New member ", "post": "Today a new member ..."}' http://localhost:20001/newpost
 ```
 
 <p align="center">
-    <img src="images/attack_5.png"/>
+    <img src="images/attack_6.png"/>
 </p>
 
+
 ## Secure this app
 
 How would you mitigate this vulnerability? After your changes, an attacker should not be able to:
 
-* Check and validate JWT Token signature.
+* Use fake tokens without a valid signature.
+* Impersonate other users through manipulation of the JWT.
 
 ## PR solutions
 

owasp-top10-2021-apps/a1/camplake-api/app/go.mod

@@ -7,6 +7,7 @@ require (
 	github.com/google/uuid v1.3.0
 	github.com/labstack/echo v3.3.10+incompatible
 	github.com/labstack/gommon v0.3.0 // indirect
+	github.com/sirupsen/logrus v1.8.1
 	github.com/stretchr/testify v1.7.0 // indirect
 	golang.org/x/crypto v0.0.0-20210921155107-089bfa567519
 	gopkg.in/mgo.v2 v2.0.0-20190816093944-a6b53ec6cb22

owasp-top10-2021-apps/a1/camplake-api/app/go.sum

@@ -1,5 +1,6 @@
-github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
@@ -15,7 +16,10 @@ github.com/mattn/go-isatty v0.0.9 h1:d5US/mDsogSGW37IV293h//ZFaeajb69h+EHFsv2xGg
 github.com/mattn/go-isatty v0.0.9/go.mod h1:YNRxwqDuOph6SZLI9vUUz6OYw3QyUt7WiY2yME+cCiQ=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE=
+github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
@@ -29,6 +33,7 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110 h1:qWPm9rbaAMKs8Bq/9LRpbMqxW
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 h1:SrN+KX8Art/Sf4HNj6Zcz06G7VEz+7w9tdXTPOZ7+l4=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

owasp-top10-2021-apps/a1/camplake-api/app/handlers/handlers.go

@@ -10,6 +10,7 @@ import (
 
 	"github.com/google/uuid"
 	"github.com/labstack/echo"
+	log "github.com/sirupsen/logrus"
 )
 
 func HealthCheck(c echo.Context) error {
@@ -27,6 +28,11 @@ func WriteCookie(c echo.Context, jwt string) error {
 func ReadCookie(c echo.Context) error {
 	cookie, err := c.Cookie("sessionIDa5")
 	if err != nil {
+		log.WithFields(
+			log.Fields{
+				"method": "ReadCookie",
+				"error":  err,
+			}).Error()
 		return err
 	}
 	fmt.Println(cookie.Name)
@@ -38,17 +44,26 @@ func NewUser(c echo.Context) error {
 	userData := types.UserData{}
 	err := c.Bind(&userData)
 	if err != nil {
-		return c.JSON(http.StatusBadRequest, map[string]string{"result": "error", "details": "Error user data1."})
+		log.WithFields(
+			log.Fields{
+				"method": "NewUserData",
+				"error":  err,
+			}).Error()
+		return c.JSON(http.StatusBadRequest, map[string]string{"result": "error", "details": "Error user data."})
 	}
 
 	newGUID := uuid.Must(uuid.NewRandom())
 	userData.UserID = newGUID.String()
 
 	err = db.RegisterUser(userData)
 	if err != nil {
+		log.WithFields(
+			log.Fields{
+				"method": "NewUserRegisterUser",
+				"error":  err,
+			}).Error()
 		errorString := fmt.Sprintf("%s", err)
 		return c.JSON(http.StatusBadRequest, map[string]string{"result": "error", "details": errorString})
-
 	}
 
 	return c.String(http.StatusCreated, "Register: success!\n")
@@ -58,22 +73,37 @@ func Login(c echo.Context) error {
 	loginAttempt := types.LoginAttempt{}
 	err := c.Bind(&loginAttempt)
 	if err != nil {
-		return c.JSON(http.StatusBadRequest, map[string]string{"result": "error", "details": "Error login1."})
+		log.WithFields(
+			log.Fields{
+				"method": "LoginLoginAttempt",
+				"error":  err,
+			}).Error()
+		return c.JSON(http.StatusBadRequest, map[string]string{"result": "error", "details": "Incorrect username or password."})
 	}
 
 	userDataQuery := map[string]interface{}{"username": loginAttempt.Username}
 	userDataResult, err := db.GetUserData(userDataQuery)
 	if err != nil {
-		return c.JSON(http.StatusBadRequest, map[string]string{"result": "error", "details": "Error login3."})
+		log.WithFields(
+			log.Fields{
+				"method": "LoginUserDataQuery",
+				"error":  err,
+			}).Error()
+		return c.JSON(http.StatusBadRequest, map[string]string{"result": "error", "details": "Incorrect username or password."})
 	}
 
 	passOK := crypto.CheckPasswordHash(loginAttempt.Password, userDataResult.HashedPassword)
 	if err != nil {
-		return c.JSON(http.StatusBadRequest, map[string]string{"result": "error", "details": "Error login2."})
+		log.WithFields(
+			log.Fields{
+				"method": "LoginCheckPasswordHash",
+				"error":  err,
+			}).Error()
+		return c.JSON(http.StatusBadRequest, map[string]string{"result": "error", "details": "Incorrect username or password."})
 	}
 
 	if !passOK {
-		return c.JSON(http.StatusBadRequest, map[string]string{"result": "error", "details": "Error login4."})
+		return c.JSON(http.StatusBadRequest, map[string]string{"result": "error", "details": "Incorrect username or password."})
 	}
 
 	creds := types.Credentials{
@@ -82,12 +112,22 @@ func Login(c echo.Context) error {
 	// Create token
 	token, err := CreateToken(creds)
 	if err != nil {
+		log.WithFields(
+			log.Fields{
+				"method": "LoginCreateToken",
+				"error":  err,
+			}).Error()
 		return err
 	}
 
 	err = WriteCookie(c, token)
 	if err != nil {
-		return c.JSON(http.StatusBadRequest, map[string]string{"result": "error", "details": "Error login5."})
+		log.WithFields(
+			log.Fields{
+				"method": "LoginWriteCookie",
+				"error":  err,
+			}).Error()
+		return c.JSON(http.StatusBadRequest, map[string]string{"result": "error", "details": "Incorrect username or password"})
 	}
 
 	messageLogon := fmt.Sprintf("Hello, %s! This is your token: %s\n", userDataResult.Username, token)
@@ -97,6 +137,11 @@ func Login(c echo.Context) error {
 func NewPost(c echo.Context) error {
 	var td *types.Post
 	if err := c.Bind(&td); err != nil {
+		log.WithFields(
+			log.Fields{
+				"method": "NewPost",
+				"error":  err,
+			}).Error()
 		return c.JSON(http.StatusUnprocessableEntity, "invalid json")
 	}
 

owasp-top10-2021-apps/a1/camplake-api/app/handlers/jwt.go

@@ -41,41 +41,6 @@ func ExtractToken(r *http.Request) string {
 	return ""
 }
 
-// func TokenValid(r *http.Request) error {
-// 	token := ExtractToken(r)
-// 	t := strings.Split(token, ".")
-
-// 	header := types.Header{}
-// 	claims := types.Claims{}
-
-// 	h, err := base64.StdEncoding.WithPadding(base64.NoPadding).DecodeString(t[0])
-// 	if err != nil {
-// 		return err
-// 	}
-
-// 	err = json.Unmarshal(h, &header)
-// 	if err != nil {
-// 		log.Fatalln("Error in JSON unmarshalling from json marshalled object:", err)
-// 		return err
-// 	}
-// 	if header.Typ != "JWT" {
-// 		log.Fatalln("Error on JWT")
-// 	}
-
-// 	c, err := base64.StdEncoding.WithPadding(base64.NoPadding).DecodeString(t[1])
-// 	if err != nil {
-// 		return err
-// 	}
-
-// 	err = json.Unmarshal(c, &claims)
-// 	if err != nil {
-// 		log.Fatalln("Error in JSON unmarshalling from json marshalled object:", err)
-// 		return err
-// 	}
-
-// 	return nil
-// }
-
 func TokenValid(r *http.Request) (types.Claims, error) {
 	header := types.Header{}
 	claims := types.Claims{}

owasp-top10-2021-apps/a1/camplake-api/app/server.go

@@ -95,10 +95,6 @@ func main() {
 	echoInstance := echo.New()
 	echoInstance.HideBanner = true
 
-	// echoInstance.Use(middleware.Logger())
-	// echoInstance.Use(middleware.Recover())
-	// echoInstance.Use(middleware.RequestID())
-
 	fakeUser, _ := CreateFakeToken()
 	log.Printf("Fake Token %s", fakeUser)