Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: implement header param injection handling for JWT vulnerabilities #473

Open
wants to merge 9 commits into
base: master
Choose a base branch
from
Open

feat: implement header param injection handling for JWT vulnerabilities #473

Changes from 1 commit
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
0c23ff9
feat: implement header param injection handling for JWT vulnerabilities
leiberbertel Aug 19, 2024
4812d61
apply spotless
leiberbertel Aug 19, 2024
262afac
apply spotless again
leiberbertel Aug 19, 2024
ebcae74
fix: modified to meet requirements
leiberbertel Sep 28, 2024
be4751a
style: apply spotless
leiberbertel Sep 28, 2024
b7cea19
fix: Maintain implementation so as not to be dependent on external de…
leiberbertel Oct 3, 2024
672b4ea
chore: removes unnecessary dependence
leiberbertel Nov 10, 2024
324fa33
refactor: removes unnecessary import
leiberbertel Nov 10, 2024
261ea39
refactor: remove boilerplate
leiberbertel Nov 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
fix: Maintain implementation so as not to be dependent on external de… 
…pendency and update messages
  • Loading branch information
@leiberbertel
leiberbertel committed Oct 3, 2024
commit b7cea1951d84ad475dd9c76b25150cd8c9579c29
33 changes: 16 additions & 17 deletions src/main/java/org/sasanlabs/service/vulnerability/jwt/JWTVulnerability.java
View file
Original file line number Diff line number Diff line change
@@ -3,11 +3,11 @@
import static org.sasanlabs.service.vulnerability.jwt.bean.JWTUtils.GENERIC_BASE64_ENCODED_PAYLOAD;

import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.auth0.jwt.interfaces.JWTVerifier;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jwt.SignedJWT;
import java.io.UnsupportedEncodingException;
import java.security.KeyPair;
import java.security.interfaces.RSAPrivateKey;
@@ -672,39 +672,38 @@ private ResponseEntity<GenericVulnerabilityResponseBean<String>> getJWTResponseB

@AttackVector(
vulnerabilityExposed = VulnerabilityType.HEADER_INJECTION,
description = "HEADER_INJECTION_VULNERABILITY_EXAMPLE")
description = "HEADER_INJECTION_VULNERABILITY")
@VulnerableAppRequestMapping(
value = LevelConstants.LEVEL_13,
htmlTemplate = "LEVEL_13/HeaderInjection_Level13")
public ResponseEntity<GenericVulnerabilityResponseBean<String>> getHeaderInjectionVulnerability(
Copy link
Member

@preetkaran20 preetkaran20 Sep 29, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry but there is a Level9 which has JWK based vulnerability.
How about converting it into a secure level as an extension of level 9 where we always validate JWK header against a set of public keys and only allow if it is part of them ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@leiberbertel it is fine to have another vulnerability with same functionality as well.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand, thanks for the confirmation:).

HttpServletRequest request) {
String jwtToken = request.getHeader("Authorization");
if (jwtToken == null || !jwtToken.startsWith("Bearer ")) {
if (jwtToken == null || !jwtToken.startsWith(JWTUtils.BEARER_PREFIX)) {
return new ResponseEntity<>(
new GenericVulnerabilityResponseBean<>("No JWT token provided", true),
HttpStatus.BAD_REQUEST);
}

jwtToken = jwtToken.substring(7); // Remove "Bearer " prefix
jwtToken = jwtToken.replaceFirst("^" + JWTUtils.BEARER_PREFIX, "").trim();

try {
DecodedJWT decodedJWT = com.auth0.jwt.JWT.decode(jwtToken);
String jwkHeader = decodedJWT.getHeaderClaim("jwk").asString();
SignedJWT signedJWT = SignedJWT.parse(jwtToken);

String jwkHeader = (String) signedJWT.getHeader().toJSONObject().get("jwk");

if (jwkHeader != null) {
JWK jwk = JWK.parse(jwkHeader);

RSAKey rsaKey = (RSAKey) jwk;
RSAPublicKey publicKey = rsaKey.toRSAPublicKey();

Algorithm algorithm = Algorithm.RSA256(publicKey, null);
JWTVerifier verifier = com.auth0.jwt.JWT.require(algorithm).build();
verifier.verify(jwtToken);

return new ResponseEntity<>(
new GenericVulnerabilityResponseBean<>(
"JWK Header Injection Exploited!", false),
HttpStatus.OK);
JWSVerifier verifier = new RSASSAVerifier(publicKey);
if (signedJWT.verify(verifier)) {
return new ResponseEntity<>(
new GenericVulnerabilityResponseBean<>(
"JWK Header Injection Exploited!", false),
HttpStatus.OK);
}
}

} catch (Exception e) {
1 change: 1 addition & 0 deletions src/main/java/org/sasanlabs/service/vulnerability/jwt/bean/JWTUtils.java
View file
Original file line number Diff line number Diff line change
@@ -37,6 +37,7 @@ public class JWTUtils {
public static final String JWT_EC_ALGORITHM_IDENTIFIER = "EC";
public static final String JWT_OCTET_ALGORITHM_IDENTIFIER = "ED";
public static final String JWT_HMAC_SHA_256_ALGORITHM = "HS256";
public static final String BEARER_PREFIX = "Bearer ";
// TODO need to make it better.
public static final String HS256_TOKEN_TO_BE_SIGNED =
"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9."
2 changes: 1 addition & 1 deletion src/main/resources/i18n/messages_en_US.properties
View file
Original file line number Diff line number Diff line change
@@ -288,4 +288,4 @@ SSRF_VULNERABILITY_URL_IF_NOT_FILE_PROTOCOL_AND_INTERNAL_METADATA_URL=file:// pr
SSRF_VULNERABILITY_URL_ONLY_IF_IN_THE_WHITELIST=Only Whitelisted URL is allowed.

# JWT Injection Header
HEADER_INJECTION_VULNERABILITY_EXAMPLE=Header Injection Vulnerability Example
HEADER_INJECTION_VULNERABILITY=It tests how a JWT header can be manipulated to alter the signature verification.
2 changes: 1 addition & 1 deletion src/main/resources/i18n/messages_es.properties
View file
Original file line number Diff line number Diff line change
@@ -229,7 +229,7 @@ COOKIE_BASED_FOR_JWK_HEADER_BASED_JWT_VULNERABILITY=Validador de token JWT basad
COOKIE_BASED_EMPTY_TOKEN_JWT_VULNERABILITY=Token JWT basado en cookies, vulnerable por el ataque de token vacío.

# JWT Injection Header
HEADER_INJECTION_VULNERABILITY_EXAMPLE=Ejemplo de vulnerabilidad de inyección de encabezado
HEADER_INJECTION_VULNERABILITY=Prueba cómo un encabezado JWT puede ser manipulado para alterar la verificación de la firma.


# SQL Injection Vulnerability
Loading