REST Services Home Page

WS Login Service Documentation

Welcome to the WS Login Service. This service allows clients to authenticate and receive a JSON Web Token (JWT) for accessing other web services. The token includes information about the client and is valid for a limited duration.

Note for Beginners: Follow the step-by-step examples below for making requests to the login service using Burp Repeater and curl. After obtaining a token, use the instructions at the end to include the token in future requests.

Endpoint

The service is accessible at the following endpoint:

POST /webservices/rest/ws-login.php

Request Parameters

client_id (string, required): The unique identifier for the client.
client_secret (string, required): The secret key associated with the client ID.
audience (string, required): The intended audience for the token. For example, use http://mutillidae.localhost/webservices/rest/ws-user-account.php if you intend to call that service.

Example Request Using Burp Repeater

Here is how to send a request to the login service using Burp Repeater:

POST /webservices/rest/ws-login.php HTTP/1.1
Host: mutillidae.localhost
Content-Type: application/json
Origin: http://mutillidae.localhost

{
    "client_id": "your-client-id",
    "client_secret": "your-client-secret",
    "audience": "http://mutillidae.localhost/webservices/rest/ws-user-account.php"
}

Instructions:

Open Burp Suite and navigate to the Repeater tab.
Copy the above request and paste it into the Repeater window.
Click Send to see the response from the server.

Example Request Using `curl`

If you prefer using the command line, here’s how you can make the same request with curl:

curl -X POST "http://mutillidae.localhost/webservices/rest/ws-login.php" \
-H "Content-Type: application/json" \
-d '{
    "client_id": "your-client-id",
    "client_secret": "your-client-secret",
    "audience": "http://mutillidae.localhost/webservices/rest/ws-user-account.php"
}'

Instructions:

Open a terminal or command prompt.
Copy and paste the above curl command.
Press Enter to send the request and view the response.

Expected Response

If everything works correctly, you will receive a response like this:

{
    "access_token": "your-jwt-token",
    "token_type": "bearer",
    "expires_in": 3600
}

Using the JWT Token in Subsequent Requests

After obtaining the token, include it in the Authorization header for any further requests to secured endpoints. Below are examples of how to do this with both curl and Burp Repeater.

Example Using curl

Make a request to an authenticated endpoint (e.g., ws-user-account) using curl:

curl -X GET "http://mutillidae.localhost/webservices/rest/ws-user-account.php" \
-H "Authorization: Bearer your-jwt-token"

Example Using Burp Repeater

To include the JWT token in Burp Suite:

Open Burp Suite and navigate to the Repeater tab.

Enter the URL of the endpoint, for example:

GET /webservices/rest/ws-user-account.php HTTP/1.1
Host: mutillidae.localhost

In the Headers section, add an Authorization header:
```
Authorization: Bearer your-jwt-token
```
Click Send to submit the request. If the token is valid, you will receive a successful response.

Troubleshooting Tips:

Ensure that the mutillidae.localhost host is correctly configured in your environment.
Check that the service is running and accessible.
If using Burp Suite, verify that traffic is correctly routed to the service.
If you receive a 401 Unauthorized error, ensure your token is correct and has not expired.

Learn More

Now that you have your JWT token, you can access other authenticated services. Refer to the individual service pages for specific instructions on interacting with each service.