The solution for the JWT challenge must be updated, and the challenge itself should be reviewed, due to changes in jwt.io
Thanks for reporting this! I'm not sure if we could just get away with increasing the difficulty, because the attacker now has to craft the JWT somewhere else...
@ViktorLindstrm @J12934 You are the official JWT consultants of the Juice Shop, what do you think? Should we keep the challenge and just give it +1 difficulty star?
I'm getting falsely classified as a JWT expert here 馃槄
I don't think I ever did anything JWT related for juice-shop, sure you didn't mean @tghosth?
Thanks @J12934 :)
Hi @mjaaland , thanks for noticing this, can you remind me where you saw this, comment with a link or something :)
Hey,
check out the solutions for the JWT challenge.
https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/appendix/solutions.html
Thanks. This is a more a problem with the way we described the solution, i.e. reliance on using JWT.io, The challenge itself I think is still completely valid and doesn't need changing.
I think the best fix would be to update the solution to not require jwt.io, e.g. write some simple custom code to show how to create the manipulated JWTs.
I will see if I can find time to do that but it will probably only be in a few weeks.
I agree to all inputs here, you could up the challenge in difficulty, or find a similar online based tool like jwt.io (and perhaps point to it in the hints?).
Good job to all of you, this app is awesome. I am using it in some training workshops nowdays.
This thread has been automatically locked because it has not had recent activity after it was closed. :lock: Please open a new issue for regressions or related bugs.
Most helpful comment
Thanks. This is a more a problem with the way we described the solution, i.e. reliance on using JWT.io, The challenge itself I think is still completely valid and doesn't need changing.
I think the best fix would be to update the solution to not require jwt.io, e.g. write some simple custom code to show how to create the manipulated JWTs.
I will see if I can find time to do that but it will probably only be in a few weeks.