Skip to content

Commit

Permalink
Merge pull request #171 from SasanLabs/Fix1
Browse files Browse the repository at this point in the history
Adding Sample values
  • Loading branch information
preetkaran20 authored Aug 8, 2020
2 parents 0e5224c + dbbd1f2 commit 25e5514
Show file tree
Hide file tree
Showing 4 changed files with 53 additions and 29 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
import org.sasanlabs.service.exception.ServiceApplicationException;

/**
* Signes JWT token based on the various algorithms like: 1. HS256 2. RS256
* Signs JWT token based on the various algorithms like: 1. HS256 2. RS256
*
* @author KSASAN preetkaran20@gmail.com
*/
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,35 @@ public class JWTVulnerability implements ICustomVulnerableEndPoint {
private static final String JWT = "JWT";
private static final String JWT_COOKIE_KEY = JWT + "=";

/**
* Constant JWT's. These are precomputed because we have to return Sample Values for helping
* scanners to know about the format of the input so that they can attack accordingly. we can
* precompute these tokens because content of token is static and also keys are static.
*/
// Constant JWT HS256 Signed with High Strength Key.
private static final String PRECOMPUTED_JWT_HS256_HIGH_STRENGTH =
"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.MZiW2KkIRI6GhKsu16Me7-3IpS4nBw1W47CW67QAqS0";
// Constant JWT HS256 Signed with LOW Strength Key.
private static final String PRECOMPUTED_JWT_HS256_LOW_STRENGTH =
"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.kXSdJhhUKTJemgs8O0rfIJmUaxoSIDdClL_OPmaC7Eo";
// Constant JWT RS256 Signed
private static final String PRECOMPUTED_JWT_RS256 =
"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0"
+ ".k5_ifQHwxXrjjg0CNExhTzkPLOk88UA3C3KlQLc2AdGQl4kXGOy46f2DZsJGopy_cT1DSVl0HfzkDhm6RTutv7fGdr7tjqwWBPu-oIBQQytVejDW4WyyuozjsWrvr"
+ "OHGMFyaO7FHEufGLRJ0ZAZ0SC4R-IAor8ggWhKaRqanKTZfTBQZWaGs3js5B7xcr2LUBRMNdGFJEJHdbMa3LtcmU-plmltesJpUcmoorFNjmt5li9xrpBSSf5-5ruj"
+ "P1lp5lEqwrRTCl07NQVXlvh6plZYR5-3WJ2IFSBEqkz9ztUNCSTHOxVF_5LG05NxhwkVsxUvcvhGLWsMtiA8yg2-P-g";
// Constant JWT RS256 signed with JWK
private static final String PRECOMPUTED_JWT_RS256_WITH_JWK =
"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImp3ayI6eyJrdHkiOiJSU0EiLCJlIjoiQVFBQiIsInVzZSI6InNpZyIsImtpZCI6IjhmYzgzYmE1LTRmNjUtNDg4ZS05Y"
+ "jQ5LTUyZGNhOThiZTNiZiIsIm4iOiJ4dk9ncUVyUW1XNEU0dGN3QXZQdnp1WUs0RGxxMlYzaHNKcFJwQjJyeVdwa3EydnlXeVcySlBJc2FUMjFvUkhWbmxSbzZEUmpw"
+ "ZTROd3dDb1NYUTRlVS1weXRpWG54SjdKSlNlWlVpcmIwR0NsTGMzQ3VWSDZEUzl2Z3BLcEJDMW56OHRSbkFvSDRhRDNGQVFTR3EzLU1vbm1DZ0V6X1hTOTFGeUJKS2F"
+ "qR2pidFBka0lvYzZaWUcxRjNCTXdPQmlFbUZTY2dMYmhGMTg5MVp1aDluSUNJdmJMM3hvSkJXTHRRLTZsVmZxWVZ5TWF3RlZPSFFkV1lXbXJpeXJNY2wyak5ueEszcT"
+ "E5UXYzcWdESTA3dUd4aFhXbWgwYTlPLUgyRHFiclR0X0M1ZFJPeXZONDhVOVI0WXlveE03OTdSejk0WHVJMUhqQlVGY1Z4RXlrX013SVEifX0.eyJzdWIiOiIxMjM0N"
+ "TY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.rsEJeVbj1Bukf56CMWZvGHft3-lJO0e9EhrCkrzVwHBJoB8ZKR8x"
+ "CINRtpDl327jPbTU_ouW4Dq6yCmhtrytxDsjzznUlHwKPiO7znI9oiWL98ADCJVPrlXL5VvyCk9bsJ78ADddDgTO1jYRcO6BJ2628hZZEOKBIeL0PtEwe1_1jLHEFqf"
+ "w944gGWVmwqCf3LZPZVbVZ7icLPqRABXL7_VPId2bQcc7wNlvNB3dsQzvYD31KoCpGgcuYAoql46fTZHI5v2_QxYCJH6Sp-iep9O-iN2tlHdM6dnUIQO8MGV7GWsxeL"
+ "UAqsStxiLGNZYz-uDYPr6-RieCTu5nM7KbaQ";

private ResponseBean<GenericVulnerabilityResponseBean<String>> getJWTResponseBean(
boolean isValid, String jwtToken, boolean includeToken) {
GenericVulnerabilityResponseBean<String> genericVulnerabilityResponseBean;
Expand Down Expand Up @@ -90,7 +119,7 @@ private ResponseBean<GenericVulnerabilityResponseBean<String>> getJWTResponseBea
descriptionLabel = "URL_CONTAINING_JWT_TOKEN",
htmlTemplate = "LEVEL_1/JWT_Level1",
parameterName = JWT,
sampleValues = {""})
sampleValues = {PRECOMPUTED_JWT_HS256_HIGH_STRENGTH})
public ResponseBean<GenericVulnerabilityResponseBean<String>> getVulnerablePayloadLevelUnsecure(
ParameterBean parameterBean)
throws UnsupportedEncodingException, ServiceApplicationException {
Expand Down Expand Up @@ -126,7 +155,7 @@ public ResponseBean<GenericVulnerabilityResponseBean<String>> getVulnerablePaylo
htmlTemplate = "LEVEL_2/JWT_Level2",
parameterName = JWT,
requestParameterLocation = RequestParameterLocation.COOKIE,
sampleValues = {""})
sampleValues = {PRECOMPUTED_JWT_HS256_HIGH_STRENGTH})
public ResponseBean<GenericVulnerabilityResponseBean<String>>
getVulnerablePayloadLevelUnsecure2CookieBased(ParameterBean parameterBean)
throws UnsupportedEncodingException, ServiceApplicationException {
Expand Down Expand Up @@ -174,7 +203,7 @@ public ResponseBean<GenericVulnerabilityResponseBean<String>> getVulnerablePaylo
htmlTemplate = "LEVEL_2/JWT_Level2",
parameterName = JWT,
requestParameterLocation = RequestParameterLocation.COOKIE,
sampleValues = {""})
sampleValues = {PRECOMPUTED_JWT_HS256_HIGH_STRENGTH})
public ResponseBean<GenericVulnerabilityResponseBean<String>>
getVulnerablePayloadLevelUnsecure3CookieBased(ParameterBean parameterBean)
throws UnsupportedEncodingException, ServiceApplicationException {
Expand Down Expand Up @@ -228,7 +257,7 @@ public ResponseBean<GenericVulnerabilityResponseBean<String>> getVulnerablePaylo
htmlTemplate = "LEVEL_2/JWT_Level2",
parameterName = JWT,
requestParameterLocation = RequestParameterLocation.COOKIE,
sampleValues = {""})
sampleValues = {PRECOMPUTED_JWT_HS256_LOW_STRENGTH})
public ResponseBean<GenericVulnerabilityResponseBean<String>>
getVulnerablePayloadLevelUnsecure4CookieBased(ParameterBean parameterBean)
throws UnsupportedEncodingException, ServiceApplicationException {
Expand Down Expand Up @@ -286,7 +315,7 @@ public ResponseBean<GenericVulnerabilityResponseBean<String>> getVulnerablePaylo
htmlTemplate = "LEVEL_2/JWT_Level2",
parameterName = JWT,
requestParameterLocation = RequestParameterLocation.COOKIE,
sampleValues = {""})
sampleValues = {PRECOMPUTED_JWT_HS256_HIGH_STRENGTH})
public ResponseBean<GenericVulnerabilityResponseBean<String>>
getVulnerablePayloadLevelUnsecure5CookieBased(ParameterBean parameterBean)
throws UnsupportedEncodingException, ServiceApplicationException {
Expand Down Expand Up @@ -342,7 +371,7 @@ public ResponseBean<GenericVulnerabilityResponseBean<String>> getVulnerablePaylo
htmlTemplate = "LEVEL_2/JWT_Level2",
parameterName = JWT,
requestParameterLocation = RequestParameterLocation.COOKIE,
sampleValues = {""})
sampleValues = {PRECOMPUTED_JWT_HS256_HIGH_STRENGTH})
public ResponseBean<GenericVulnerabilityResponseBean<String>>
getVulnerablePayloadLevelUnsecure6CookieBased(ParameterBean parameterBean)
throws UnsupportedEncodingException, ServiceApplicationException {
Expand Down Expand Up @@ -397,7 +426,7 @@ public ResponseBean<GenericVulnerabilityResponseBean<String>> getVulnerablePaylo
htmlTemplate = "LEVEL_2/JWT_Level2",
parameterName = JWT,
requestParameterLocation = RequestParameterLocation.COOKIE,
sampleValues = {""})
sampleValues = {PRECOMPUTED_JWT_RS256})
public ResponseBean<GenericVulnerabilityResponseBean<String>>
getVulnerablePayloadLevelUnsecure7CookieBased(ParameterBean parameterBean)
throws UnsupportedEncodingException, ServiceApplicationException {
Expand Down Expand Up @@ -451,7 +480,7 @@ public ResponseBean<GenericVulnerabilityResponseBean<String>> getVulnerablePaylo
htmlTemplate = "LEVEL_2/JWT_Level2",
parameterName = JWT,
requestParameterLocation = RequestParameterLocation.COOKIE,
sampleValues = {""})
sampleValues = {PRECOMPUTED_JWT_RS256_WITH_JWK})
public ResponseBean<GenericVulnerabilityResponseBean<String>>
getVulnerablePayloadLevelUnsecure8CookieBased(ParameterBean parameterBean)
throws UnsupportedEncodingException, ServiceApplicationException {
Expand Down Expand Up @@ -481,7 +510,6 @@ public ResponseBean<GenericVulnerabilityResponseBean<String>> getVulnerablePaylo

JWK jwk =
new RSAKey.Builder((RSAPublicKey) asymmetricAlgorithmKeyPair.get().getPublic())
.privateKey((RSAPrivateKey) asymmetricAlgorithmKeyPair.get().getPrivate())
.keyUse(KeyUse.SIGNATURE)
.keyID(UUID.randomUUID().toString())
.build();
Expand Down Expand Up @@ -518,7 +546,7 @@ public ResponseBean<GenericVulnerabilityResponseBean<String>> getVulnerablePaylo
htmlTemplate = "LEVEL_2/JWT_Level2",
parameterName = JWT,
requestParameterLocation = RequestParameterLocation.COOKIE,
sampleValues = {""})
sampleValues = {PRECOMPUTED_JWT_HS256_HIGH_STRENGTH})
public ResponseBean<GenericVulnerabilityResponseBean<String>>
getVulnerablePayloadLevelUnsecure9CookieBased(ParameterBean parameterBean)
throws UnsupportedEncodingException, ServiceApplicationException {
Expand Down Expand Up @@ -562,20 +590,21 @@ public ResponseBean<GenericVulnerabilityResponseBean<String>> getVulnerablePaylo
}

// Commented for now because this is not fully developed
// @AttackVector(
// vulnerabilityExposed = {VulnerabilitySubType.CLIENT_SIDE_VULNERABLE_JWT},
// description = "COOKIE_WITH_HTTPONLY_WITHOUT_SECURE_FLAG_BASED_JWT_VULNERABILITY")
// @AttackVector(
// vulnerabilityExposed = {VulnerabilitySubType.INSECURE_CONFIGURATION_JWT,
// @AttackVector(
// vulnerabilityExposed = {VulnerabilitySubType.CLIENT_SIDE_VULNERABLE_JWT},
// description =
// "COOKIE_WITH_HTTPONLY_WITHOUT_SECURE_FLAG_BASED_JWT_VULNERABILITY")
// @AttackVector(
// vulnerabilityExposed = {VulnerabilitySubType.INSECURE_CONFIGURATION_JWT,
// VulnerabilitySubType.BLIND_SQL_INJECTION},
// description = "COOKIE_BASED_EMPTY_TOKEN_JWT_VULNERABILITY")
// @VulnerabilityLevel(
// value = LevelEnum.LEVEL_10,
// descriptionLabel = "COOKIE_CONTAINING_JWT_TOKEN",
// htmlTemplate = "LEVEL_2/JWT_Level2",
// parameterName = JWT,
// requestParameterLocation = RequestParameterLocation.COOKIE,
// sampleValues = {""})
// description = "COOKIE_BASED_EMPTY_TOKEN_JWT_VULNERABILITY")
// @VulnerabilityLevel(
// value = LevelEnum.LEVEL_10,
// descriptionLabel = "COOKIE_CONTAINING_JWT_TOKEN",
// htmlTemplate = "LEVEL_2/JWT_Level2",
// parameterName = JWT,
// requestParameterLocation = RequestParameterLocation.COOKIE,
// sampleValues = {""})
public ResponseBean<GenericVulnerabilityResponseBean<String>>
getVulnerablePayloadLevelUnsecure10CookieBased(ParameterBean parameterBean)
throws UnsupportedEncodingException, ServiceApplicationException {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -85,8 +85,6 @@ public Optional<KeyPair> getAsymmetricAlgorithmKey(String algorithm) {
}

private void loadAsymmetricAlgorithmKeys() {
// for (String asymmetricAlgo : asymmetricAlgorithms) {
// Keys.keyPairFor(SignatureAlgorithm.valueOf(asymmetricAlgo))
try {
KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load(
Expand All @@ -108,8 +106,6 @@ private void loadAsymmetricAlgorithmKeys() {
| UnrecoverableKeyException e) {
LOGGER.error(e);
}
;
// }
}

private void initialize() {
Expand Down
1 change: 0 additions & 1 deletion src/main/resources/static/vulnerableApp.css
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,6 @@ hr {
height: 1px;
border: 0;
border-top: 1px solid black;
margin-left: 10%;
padding: 0;
}

Expand Down

0 comments on commit 25e5514

Please sign in to comment.