-
-
Notifications
You must be signed in to change notification settings - Fork 421
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: implement header param injection handling for JWT vulnerabilities #473
base: master
Are you sure you want to change the base?
Changes from 5 commits
0c23ff9
4812d61
262afac
ebcae74
be4751a
b7cea19
672b4ea
324fa33
261ea39
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -150,14 +150,19 @@ dependencies { | |
implementation group: 'org.json', name: 'json', version: '20190722' | ||
|
||
//https://mvnrepository.com/artifact/com.nimbusds/nimbus-jose-jwt | ||
implementation group: 'com.nimbusds', name: 'nimbus-jose-jwt', version: '8.3' | ||
implementation group: 'com.nimbusds', name: 'nimbus-jose-jwt', version: '9.31' | ||
|
||
// https://mvnrepository.com/artifact/commons-io/commons-io | ||
implementation group: 'commons-io', name: 'commons-io', version: '2.7' | ||
|
||
implementation group: 'io.github.sasanlabs', name: 'facade-schema', version: '1.0.1' | ||
|
||
implementation group: 'commons-fileupload', name: 'commons-fileupload', version: '1.5' | ||
|
||
// https://mvnrepository.com/artifact/com.auth0/java-jwt | ||
implementation group: 'com.auth0', name: 'java-jwt', version: '4.2.1' | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Do we need this version? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Currently, I have added java-jwt version 4.2.1 as it is compatible with the project dependencies and the version of Java 8 we are using. I have found no conflicts with other libraries, but I may upgrade to the latest 4.4.0 version to ensure we have the latest fixes and enhancements. Is it okay with you if I make the change? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think we don't need this as we already have nimbus-jose-jwt There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Thanks for pointing that out, I hadn't considered that nimbus-jose-jwt already covers the functionality needed to handle JWTs. I reviewed my implementation and indeed, it looks like we can dispense with java-jwt and just use nimbus-jose-jwt. I will proceed to remove the java-jwt dependency and adjust the code to work with nimbus-jose-jwt. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Please let me know once you have done the changes, we can go ahead with the merging of the PR. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. All ready, we can continue:) |
||
|
||
|
||
} | ||
|
||
test { | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -2,6 +2,12 @@ | |
|
||
import static org.sasanlabs.service.vulnerability.jwt.bean.JWTUtils.GENERIC_BASE64_ENCODED_PAYLOAD; | ||
|
||
import com.auth0.jwt.JWT; | ||
import com.auth0.jwt.algorithms.Algorithm; | ||
import com.auth0.jwt.interfaces.DecodedJWT; | ||
import com.auth0.jwt.interfaces.JWTVerifier; | ||
import com.nimbusds.jose.jwk.JWK; | ||
import com.nimbusds.jose.jwk.RSAKey; | ||
import java.io.UnsupportedEncodingException; | ||
import java.security.KeyPair; | ||
import java.security.interfaces.RSAPrivateKey; | ||
|
@@ -11,6 +17,7 @@ | |
import java.util.List; | ||
import java.util.Map; | ||
import java.util.Optional; | ||
import javax.servlet.http.HttpServletRequest; | ||
import org.apache.logging.log4j.LogManager; | ||
import org.apache.logging.log4j.Logger; | ||
import org.sasanlabs.internal.utility.LevelConstants; | ||
|
@@ -662,4 +669,51 @@ private ResponseEntity<GenericVulnerabilityResponseBean<String>> getJWTResponseB | |
true, token, true, CollectionUtils.toMultiValueMap(headers)); | ||
return responseEntity; | ||
} | ||
|
||
@AttackVector( | ||
vulnerabilityExposed = VulnerabilityType.HEADER_INJECTION, | ||
description = "HEADER_INJECTION_VULNERABILITY_EXAMPLE") | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. please update the Locale Key for description. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Thanks, I have updated it |
||
@VulnerableAppRequestMapping( | ||
value = LevelConstants.LEVEL_13, | ||
htmlTemplate = "LEVEL_13/HeaderInjection_Level13") | ||
public ResponseEntity<GenericVulnerabilityResponseBean<String>> getHeaderInjectionVulnerability( | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Sorry but there is a Level9 which has JWK based vulnerability. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @leiberbertel it is fine to have another vulnerability with same functionality as well. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I understand, thanks for the confirmation:). |
||
HttpServletRequest request) { | ||
String jwtToken = request.getHeader("Authorization"); | ||
if (jwtToken == null || !jwtToken.startsWith("Bearer ")) { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. better create a constant for "Bearer" in constants. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Thanks, I have implemented the improvement |
||
return new ResponseEntity<>( | ||
new GenericVulnerabilityResponseBean<>("No JWT token provided", true), | ||
HttpStatus.BAD_REQUEST); | ||
} | ||
|
||
jwtToken = jwtToken.substring(7); // Remove "Bearer " prefix | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think it is better to replace bearer from token instead of index substring. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Thanks, I have implemented the improvement |
||
|
||
try { | ||
DecodedJWT decodedJWT = com.auth0.jwt.JWT.decode(jwtToken); | ||
String jwkHeader = decodedJWT.getHeaderClaim("jwk").asString(); | ||
|
||
if (jwkHeader != null) { | ||
JWK jwk = JWK.parse(jwkHeader); | ||
|
||
RSAKey rsaKey = (RSAKey) jwk; | ||
RSAPublicKey publicKey = rsaKey.toRSAPublicKey(); | ||
|
||
Algorithm algorithm = Algorithm.RSA256(publicKey, null); | ||
JWTVerifier verifier = com.auth0.jwt.JWT.require(algorithm).build(); | ||
verifier.verify(jwtToken); | ||
|
||
return new ResponseEntity<>( | ||
new GenericVulnerabilityResponseBean<>( | ||
"JWK Header Injection Exploited!", false), | ||
HttpStatus.OK); | ||
} | ||
|
||
} catch (Exception e) { | ||
return new ResponseEntity<>( | ||
new GenericVulnerabilityResponseBean<>("Invalid JWT", true), | ||
HttpStatus.BAD_REQUEST); | ||
} | ||
|
||
return new ResponseEntity<>( | ||
new GenericVulnerabilityResponseBean<>("Safe header", true), HttpStatus.OK); | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,109 @@ | ||
package org.sasanlabs.service.vulnerability.sampleVulnerability; | ||
|
||
import org.sasanlabs.internal.utility.LevelConstants; | ||
import org.sasanlabs.internal.utility.Variant; | ||
import org.sasanlabs.internal.utility.annotations.AttackVector; | ||
import org.sasanlabs.internal.utility.annotations.VulnerableAppRequestMapping; | ||
import org.sasanlabs.internal.utility.annotations.VulnerableAppRestController; | ||
import org.sasanlabs.service.vulnerability.bean.GenericVulnerabilityResponseBean; | ||
import org.sasanlabs.vulnerability.types.VulnerabilityType; | ||
import org.springframework.web.bind.annotation.RequestParam; | ||
|
||
/** | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. please remove samplevulnerability related code. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Thanks, I have already removed it There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I can still see these. can you please push the changes. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes of course, please give me a few hours and I'll upload it. Thanks |
||
* This is a sample vulnerability for helping developers in adding a new Vulnerability for | ||
* VulnerableApp | ||
* | ||
* @author KSASAN [email protected] | ||
*/ | ||
/** | ||
* {@code VulnerableAppRestController} annotation is similar to {@link | ||
* org.springframework.stereotype.Controller} Annotation | ||
*/ | ||
@VulnerableAppRestController( | ||
/** | ||
* "descriptionLabel" parameter of annotation is i18n label stored in {@link | ||
* /VulnerableApp/src/main/resources/i18n/}. This descriptionLabel will be shown in the UI | ||
* as the description of the Vulnerability. It helps students to learn about the | ||
* vulnerability and can also include some of the useful references etc. | ||
*/ | ||
descriptionLabel = "SAMPLE_VULNERABILITY", | ||
/** | ||
* "value" parameter of annotation is used to create the request mapping. e.g. for the below | ||
* parameter value, /VulnerableApp/SampleVulnerability will be created as URI Path. | ||
*/ | ||
value = "SampleVulnerability") | ||
public class SampleVulnerability { | ||
|
||
/** | ||
* {@code AttackVector} annotation is used to create the Hints section in the User Interface. | ||
* This annotation can be mentioned multiple times in case the same vulnerability level | ||
*/ | ||
@AttackVector( | ||
/** | ||
* "vulnerabilityExposed" parameter is used to depict the Vulnerability exposed by the | ||
* level. For example say a level is exposing SQL_INJECTION. | ||
*/ | ||
vulnerabilityExposed = VulnerabilityType.SAMPLE_VULNERABILITY, | ||
/** | ||
* "description" parameter of annotation is i18n label stored in {@link | ||
* /VulnerableApp/src/main/resources/i18n/}. This description will be shown in the UI as | ||
* hint to give some indication on how the level is handling input to help user to crack | ||
* the level. | ||
*/ | ||
description = "SAMPLE_VULNERABILITY_USER_INPUT_HANDLING_INJECTION", | ||
|
||
/** | ||
* "payload" parameter of annotation is i18n label stored in {@link | ||
* /VulnerableApp/src/main/resources/attackvectors/*.properties}. This payload will be | ||
* shown in UI to help users find/exploit the vulnerability | ||
*/ | ||
payload = "NOT_APPLICABLE") | ||
/** | ||
* This annotation is similar to {@link RequestMapping} SpringBoot annotation. It will map the | ||
* endpoint to /VulnerableApp/SampleVulnerability/LEVEL_1 where LEVEL_1 is coming from the value | ||
* parameter. | ||
*/ | ||
@VulnerableAppRequestMapping( | ||
/** | ||
* "value" parameter is used to map the level to URI path | ||
* /VulnerableApp/SampleVulnerability/${value}. | ||
*/ | ||
value = LevelConstants.LEVEL_1, | ||
|
||
/** | ||
* "htmlTemplate" is used to load the UI for the level for taking input from the user. | ||
* It points to files in directory | ||
* src/main/resource/static/templates/${VulnerabilityName} e.g. | ||
* src/main/resource/static/templates/SampleVulnerability as ${htmlTemplate}.js, | ||
* ${htmlTemplate}.css, ${htmlTemplate}.html. e.g. in this case it will be: | ||
* src/main/resource/static/templates/SampleVulnerability/LEVEL_1/SampleVulnerability_Level1.js | ||
* etc | ||
* | ||
* <p>CSS, JS and HTML are all loaded to render the UI. | ||
*/ | ||
htmlTemplate = "LEVEL_1/SampleVulnerability") | ||
public GenericVulnerabilityResponseBean<String> sampleUnsecuredLevel( | ||
@RequestParam("name") String key) { | ||
/** Add Business logic here */ | ||
return new GenericVulnerabilityResponseBean<>("Not Implemented", true); | ||
} | ||
|
||
/** For secured level there is no need for {@link AttackVector} annotation. */ | ||
@VulnerableAppRequestMapping( | ||
value = LevelConstants.LEVEL_2, | ||
|
||
// Can reuse the same UI template in case it doesn't change between levels | ||
htmlTemplate = "LEVEL_1/SampleVulnerability", | ||
/** | ||
* "variant" parameter defines whether the level is secure or not and same is depicted | ||
* in the UI as a closed lock and open lock icon. Default value of the variant is | ||
* UNSECURE so in case a secure level is added, please add the variant as {@link | ||
* Variant#SECURE} | ||
*/ | ||
variant = Variant.SECURE) | ||
public GenericVulnerabilityResponseBean<String> sampleSecuredLevel( | ||
@RequestParam("name") String key) { | ||
/** Add Business logic here */ | ||
return new GenericVulnerabilityResponseBean<>("Not Implemented", true); | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
#header_injection_level_13 { | ||
color: black; | ||
text-align: justify; | ||
} | ||
|
||
#enterHeader { | ||
font-size: 15px; | ||
display: flex; | ||
margin: 10px; | ||
flex-direction: column; | ||
} | ||
|
||
#headerName, #headerValue { | ||
flex: 1; | ||
word-wrap: break-word; | ||
margin-top: 10px; | ||
} | ||
|
||
#headerResponse { | ||
font-size: 15px; | ||
word-wrap: break-word; | ||
text-align: center; | ||
margin: 10px; | ||
} | ||
|
||
#sendHeader { | ||
background: blueviolet; | ||
display: inline-block; | ||
padding: 4px 4px; | ||
margin: 10px; | ||
border: 1px solid transparent; | ||
border-radius: 2px; | ||
transition: 0.2s opacity; | ||
color: #FFF; | ||
font-size: 12px; | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
<!DOCTYPE html> | ||
<html lang="en"> | ||
<head> | ||
<meta charset="UTF-8"> | ||
<title>Header Injection</title> | ||
</head> | ||
<body> | ||
<div id="header_injection_level_13"> | ||
<div> | ||
<div id="enterHeader"> | ||
<div>Header Name:</div> | ||
<input type="text" id="headerName" placeholder="Enter header name" /> | ||
<div>Header Value:</div> | ||
<input type="text" id="headerValue" placeholder="Enter header value" /> | ||
</div> | ||
<button id="sendHeader">Send Header</button> | ||
<div id="headerResponse"></div> | ||
</div> | ||
</div> | ||
|
||
</body> | ||
</html> |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
function addEventListenerToSendHeaderButton() { | ||
document.getElementById("sendHeader").addEventListener("click", function () { | ||
const headerName = document.getElementById("headerName").value; | ||
const headerValue = document.getElementById("headerValue").value; | ||
|
||
let url = getUrlForVulnerabilityLevel(); | ||
|
||
const manipulatedJwt = | ||
"eyJhbGciOiJSUzI1NiIsImtpZCI6Im1hbGljaW91cy1rZXktaWQifQ.eyJzdWIiOiJleGFtcGxldXNlciIsIm5hbWUiOiJKV1QgVXNlciIsImlhdCI6MTYwOTAxMjAwMH0.c7qHUq1HbHj8AWjKbcIYH2NZnE6PtNyXTnJTWZELvFbfbFhc5BQ_w8e24fXL2OzhhOT5qHVzFvHgOeEYFLZNGEDlJhF4o76yHsMJdWQFL4I5uZjG0o8XV0HjDdM7GqEmx2j0JHi6vJ8Q3pIqGzUBmb7bgzD4kENnP-UqfkbNl2ykYZ9Nybw_E7CAV4OxuqE4QyIpZV2VttWjefK3c6TIj9hNWvYYgipKwHFLXbOV-rOZ6K-_H_4D-kbr0LKPPX-s4b11o0wtS3y1FiHDXEvsmEjhRApEc_jk5uZY-AGPUc9Nl9t6iT_Nh1Q8Usz-jZifg03NwumJjDNtz-nS7gzg"; | ||
|
||
doGetAjaxCall( | ||
function (data) { | ||
document.getElementById("headerResponse").innerHTML = data.isValid | ||
? "Header Injection was successful!" | ||
: "Header Injection failed. Please try again."; | ||
}, | ||
url, | ||
true, | ||
{ | ||
[headerName]: headerValue, | ||
Authorization: `Bearer ${manipulatedJwt}`, | ||
} | ||
); | ||
}); | ||
} | ||
|
||
addEventListenerToSendHeaderButton(); |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
#SampleVulnerability { | ||
color: black; | ||
text-align: center; | ||
} | ||
|
||
#fetchDetails { | ||
background: blueviolet; | ||
display: inline-block; | ||
padding: 8px 8px; | ||
margin: 10px; | ||
border: 2px solid transparent; | ||
border-radius: 3px; | ||
transition: 0.2s opacity; | ||
color: #FFF; | ||
font-size: 12px; | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
<div id="SampleVulnerability"> | ||
<div> | ||
<div id="level_info"> | ||
This is a Sample Vulnerability. please add the UI components here. | ||
</div> | ||
<button id=fetchDetails>Click Here</button> | ||
<div id="response"></div> | ||
</div> | ||
</div> |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
function addingEventListenerToFetchData() { | ||
document | ||
.getElementById("fetchDetails") | ||
.addEventListener("click", function () { | ||
/** | ||
* getUrlForVulnerabilityLevel() method provides url to call the Vulnerability Level | ||
* of Sample Vulnerability. | ||
* e.g. /VulnerableApp/SampleVulnerability/LEVEL_1 for LEVEL_1 | ||
*/ | ||
let url = getUrlForVulnerabilityLevel(); | ||
/** | ||
* doGetAjaxCall() method is used to do the ajax get call to the Vulnerability Level | ||
*/ | ||
doGetAjaxCall(fetchDataCallback, url + "?name=dummyInput", true); | ||
}); | ||
} | ||
// Used to register event on the button or any other component | ||
addingEventListenerToFetchData(); | ||
|
||
//Callback function to handle the response and render in the UI | ||
function fetchDataCallback(data) { | ||
document.getElementById("response").innerHTML = data.content; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please validate that it is backward compatible. Try to test other levels of JWT vulnerability,
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have validated the other JWT vulnerabilities and they work correctly, ensuring that they stay within the expected parameters.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you !!! ❤️