Merge pull request #171 from SasanLabs/Fix1

Adding Sample values
SasanLabs · Aug 8, 2020 · 25e5514 · 25e5514
2 parents 0e5224c + dbbd1f2
commit 25e5514
Show file tree

Hide file tree

Showing 4 changed files with 53 additions and 29 deletions.
diff --git a/src/main/java/org/sasanlabs/service/vulnerability/jwt/IJWTTokenGenerator.java b/src/main/java/org/sasanlabs/service/vulnerability/jwt/IJWTTokenGenerator.java
@@ -5,7 +5,7 @@
 import org.sasanlabs.service.exception.ServiceApplicationException;
 
 /**
- * Signes JWT token based on the various algorithms like: 1. HS256 2. RS256
+ * Signs JWT token based on the various algorithms like: 1. HS256 2. RS256
  *
  * @author KSASAN [email protected]
  */

diff --git a/src/main/java/org/sasanlabs/service/vulnerability/jwt/JWTVulnerability.java b/src/main/java/org/sasanlabs/service/vulnerability/jwt/JWTVulnerability.java
@@ -61,6 +61,35 @@ public class JWTVulnerability implements ICustomVulnerableEndPoint {
     private static final String JWT = "JWT";
     private static final String JWT_COOKIE_KEY = JWT + "=";
 
+    /**
+     * Constant JWT's. These are precomputed because we have to return Sample Values for helping
+     * scanners to know about the format of the input so that they can attack accordingly. we can
+     * precompute these tokens because content of token is static and also keys are static.
+     */
+    // Constant JWT HS256 Signed with High Strength Key.
+    private static final String PRECOMPUTED_JWT_HS256_HIGH_STRENGTH =
+            "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.MZiW2KkIRI6GhKsu16Me7-3IpS4nBw1W47CW67QAqS0";
+    // Constant JWT HS256 Signed with LOW Strength Key.
+    private static final String PRECOMPUTED_JWT_HS256_LOW_STRENGTH =
+            "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.kXSdJhhUKTJemgs8O0rfIJmUaxoSIDdClL_OPmaC7Eo";
+    // Constant JWT RS256 Signed
+    private static final String PRECOMPUTED_JWT_RS256 =
+            "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0"
+                    + ".k5_ifQHwxXrjjg0CNExhTzkPLOk88UA3C3KlQLc2AdGQl4kXGOy46f2DZsJGopy_cT1DSVl0HfzkDhm6RTutv7fGdr7tjqwWBPu-oIBQQytVejDW4WyyuozjsWrvr"
+                    + "OHGMFyaO7FHEufGLRJ0ZAZ0SC4R-IAor8ggWhKaRqanKTZfTBQZWaGs3js5B7xcr2LUBRMNdGFJEJHdbMa3LtcmU-plmltesJpUcmoorFNjmt5li9xrpBSSf5-5ruj"
+                    + "P1lp5lEqwrRTCl07NQVXlvh6plZYR5-3WJ2IFSBEqkz9ztUNCSTHOxVF_5LG05NxhwkVsxUvcvhGLWsMtiA8yg2-P-g";
+    // Constant JWT RS256 signed with JWK
+    private static final String PRECOMPUTED_JWT_RS256_WITH_JWK =
+            "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImp3ayI6eyJrdHkiOiJSU0EiLCJlIjoiQVFBQiIsInVzZSI6InNpZyIsImtpZCI6IjhmYzgzYmE1LTRmNjUtNDg4ZS05Y"
+                    + "jQ5LTUyZGNhOThiZTNiZiIsIm4iOiJ4dk9ncUVyUW1XNEU0dGN3QXZQdnp1WUs0RGxxMlYzaHNKcFJwQjJyeVdwa3EydnlXeVcySlBJc2FUMjFvUkhWbmxSbzZEUmpw"
+                    + "ZTROd3dDb1NYUTRlVS1weXRpWG54SjdKSlNlWlVpcmIwR0NsTGMzQ3VWSDZEUzl2Z3BLcEJDMW56OHRSbkFvSDRhRDNGQVFTR3EzLU1vbm1DZ0V6X1hTOTFGeUJKS2F"
+                    + "qR2pidFBka0lvYzZaWUcxRjNCTXdPQmlFbUZTY2dMYmhGMTg5MVp1aDluSUNJdmJMM3hvSkJXTHRRLTZsVmZxWVZ5TWF3RlZPSFFkV1lXbXJpeXJNY2wyak5ueEszcT"
+                    + "E5UXYzcWdESTA3dUd4aFhXbWgwYTlPLUgyRHFiclR0X0M1ZFJPeXZONDhVOVI0WXlveE03OTdSejk0WHVJMUhqQlVGY1Z4RXlrX013SVEifX0.eyJzdWIiOiIxMjM0N"
+                    + "TY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.rsEJeVbj1Bukf56CMWZvGHft3-lJO0e9EhrCkrzVwHBJoB8ZKR8x"
+                    + "CINRtpDl327jPbTU_ouW4Dq6yCmhtrytxDsjzznUlHwKPiO7znI9oiWL98ADCJVPrlXL5VvyCk9bsJ78ADddDgTO1jYRcO6BJ2628hZZEOKBIeL0PtEwe1_1jLHEFqf"
+                    + "w944gGWVmwqCf3LZPZVbVZ7icLPqRABXL7_VPId2bQcc7wNlvNB3dsQzvYD31KoCpGgcuYAoql46fTZHI5v2_QxYCJH6Sp-iep9O-iN2tlHdM6dnUIQO8MGV7GWsxeL"
+                    + "UAqsStxiLGNZYz-uDYPr6-RieCTu5nM7KbaQ";
+
     private ResponseBean<GenericVulnerabilityResponseBean<String>> getJWTResponseBean(
             boolean isValid, String jwtToken, boolean includeToken) {
         GenericVulnerabilityResponseBean<String> genericVulnerabilityResponseBean;
@@ -90,7 +119,7 @@ private ResponseBean<GenericVulnerabilityResponseBean<String>> getJWTResponseBea
             descriptionLabel = "URL_CONTAINING_JWT_TOKEN",
             htmlTemplate = "LEVEL_1/JWT_Level1",
             parameterName = JWT,
-            sampleValues = {""})
+            sampleValues = {PRECOMPUTED_JWT_HS256_HIGH_STRENGTH})
     public ResponseBean<GenericVulnerabilityResponseBean<String>> getVulnerablePayloadLevelUnsecure(
             ParameterBean parameterBean)
             throws UnsupportedEncodingException, ServiceApplicationException {
@@ -126,7 +155,7 @@ public ResponseBean<GenericVulnerabilityResponseBean<String>> getVulnerablePaylo
             htmlTemplate = "LEVEL_2/JWT_Level2",
             parameterName = JWT,
             requestParameterLocation = RequestParameterLocation.COOKIE,
-            sampleValues = {""})
+            sampleValues = {PRECOMPUTED_JWT_HS256_HIGH_STRENGTH})
     public ResponseBean<GenericVulnerabilityResponseBean<String>>
             getVulnerablePayloadLevelUnsecure2CookieBased(ParameterBean parameterBean)
                     throws UnsupportedEncodingException, ServiceApplicationException {
@@ -174,7 +203,7 @@ public ResponseBean<GenericVulnerabilityResponseBean<String>> getVulnerablePaylo
             htmlTemplate = "LEVEL_2/JWT_Level2",
             parameterName = JWT,
             requestParameterLocation = RequestParameterLocation.COOKIE,
-            sampleValues = {""})
+            sampleValues = {PRECOMPUTED_JWT_HS256_HIGH_STRENGTH})
     public ResponseBean<GenericVulnerabilityResponseBean<String>>
             getVulnerablePayloadLevelUnsecure3CookieBased(ParameterBean parameterBean)
                     throws UnsupportedEncodingException, ServiceApplicationException {
@@ -228,7 +257,7 @@ public ResponseBean<GenericVulnerabilityResponseBean<String>> getVulnerablePaylo
             htmlTemplate = "LEVEL_2/JWT_Level2",
             parameterName = JWT,
             requestParameterLocation = RequestParameterLocation.COOKIE,
-            sampleValues = {""})
+            sampleValues = {PRECOMPUTED_JWT_HS256_LOW_STRENGTH})
     public ResponseBean<GenericVulnerabilityResponseBean<String>>
             getVulnerablePayloadLevelUnsecure4CookieBased(ParameterBean parameterBean)
                     throws UnsupportedEncodingException, ServiceApplicationException {
@@ -286,7 +315,7 @@ public ResponseBean<GenericVulnerabilityResponseBean<String>> getVulnerablePaylo
             htmlTemplate = "LEVEL_2/JWT_Level2",
             parameterName = JWT,
             requestParameterLocation = RequestParameterLocation.COOKIE,
-            sampleValues = {""})
+            sampleValues = {PRECOMPUTED_JWT_HS256_HIGH_STRENGTH})
     public ResponseBean<GenericVulnerabilityResponseBean<String>>
             getVulnerablePayloadLevelUnsecure5CookieBased(ParameterBean parameterBean)
                     throws UnsupportedEncodingException, ServiceApplicationException {
@@ -342,7 +371,7 @@ public ResponseBean<GenericVulnerabilityResponseBean<String>> getVulnerablePaylo
             htmlTemplate = "LEVEL_2/JWT_Level2",
             parameterName = JWT,
             requestParameterLocation = RequestParameterLocation.COOKIE,
-            sampleValues = {""})
+            sampleValues = {PRECOMPUTED_JWT_HS256_HIGH_STRENGTH})
     public ResponseBean<GenericVulnerabilityResponseBean<String>>
             getVulnerablePayloadLevelUnsecure6CookieBased(ParameterBean parameterBean)
                     throws UnsupportedEncodingException, ServiceApplicationException {
@@ -397,7 +426,7 @@ public ResponseBean<GenericVulnerabilityResponseBean<String>> getVulnerablePaylo
             htmlTemplate = "LEVEL_2/JWT_Level2",
             parameterName = JWT,
             requestParameterLocation = RequestParameterLocation.COOKIE,
-            sampleValues = {""})
+            sampleValues = {PRECOMPUTED_JWT_RS256})
     public ResponseBean<GenericVulnerabilityResponseBean<String>>
             getVulnerablePayloadLevelUnsecure7CookieBased(ParameterBean parameterBean)
                     throws UnsupportedEncodingException, ServiceApplicationException {
@@ -451,7 +480,7 @@ public ResponseBean<GenericVulnerabilityResponseBean<String>> getVulnerablePaylo
             htmlTemplate = "LEVEL_2/JWT_Level2",
             parameterName = JWT,
             requestParameterLocation = RequestParameterLocation.COOKIE,
-            sampleValues = {""})
+            sampleValues = {PRECOMPUTED_JWT_RS256_WITH_JWK})
     public ResponseBean<GenericVulnerabilityResponseBean<String>>
             getVulnerablePayloadLevelUnsecure8CookieBased(ParameterBean parameterBean)
                     throws UnsupportedEncodingException, ServiceApplicationException {
@@ -481,7 +510,6 @@ public ResponseBean<GenericVulnerabilityResponseBean<String>> getVulnerablePaylo
 
         JWK jwk =
                 new RSAKey.Builder((RSAPublicKey) asymmetricAlgorithmKeyPair.get().getPublic())
-                        .privateKey((RSAPrivateKey) asymmetricAlgorithmKeyPair.get().getPrivate())
                         .keyUse(KeyUse.SIGNATURE)
                         .keyID(UUID.randomUUID().toString())
                         .build();
@@ -518,7 +546,7 @@ public ResponseBean<GenericVulnerabilityResponseBean<String>> getVulnerablePaylo
             htmlTemplate = "LEVEL_2/JWT_Level2",
             parameterName = JWT,
             requestParameterLocation = RequestParameterLocation.COOKIE,
-            sampleValues = {""})
+            sampleValues = {PRECOMPUTED_JWT_HS256_HIGH_STRENGTH})
     public ResponseBean<GenericVulnerabilityResponseBean<String>>
             getVulnerablePayloadLevelUnsecure9CookieBased(ParameterBean parameterBean)
                     throws UnsupportedEncodingException, ServiceApplicationException {
@@ -562,20 +590,21 @@ public ResponseBean<GenericVulnerabilityResponseBean<String>> getVulnerablePaylo
     }
 
     // Commented for now because this is not fully developed
-    //    @AttackVector(
-    //            vulnerabilityExposed = {VulnerabilitySubType.CLIENT_SIDE_VULNERABLE_JWT},
-    //            description = "COOKIE_WITH_HTTPONLY_WITHOUT_SECURE_FLAG_BASED_JWT_VULNERABILITY")
-    //    @AttackVector(
-    //            vulnerabilityExposed = {VulnerabilitySubType.INSECURE_CONFIGURATION_JWT,
+    // @AttackVector(
+    // vulnerabilityExposed = {VulnerabilitySubType.CLIENT_SIDE_VULNERABLE_JWT},
+    // description =
+    // "COOKIE_WITH_HTTPONLY_WITHOUT_SECURE_FLAG_BASED_JWT_VULNERABILITY")
+    // @AttackVector(
+    // vulnerabilityExposed = {VulnerabilitySubType.INSECURE_CONFIGURATION_JWT,
     // VulnerabilitySubType.BLIND_SQL_INJECTION},
-    //            description = "COOKIE_BASED_EMPTY_TOKEN_JWT_VULNERABILITY")
-    //    @VulnerabilityLevel(
-    //            value = LevelEnum.LEVEL_10,
-    //            descriptionLabel = "COOKIE_CONTAINING_JWT_TOKEN",
-    //            htmlTemplate = "LEVEL_2/JWT_Level2",
-    //            parameterName = JWT,
-    //            requestParameterLocation = RequestParameterLocation.COOKIE,
-    //            sampleValues = {""})
+    // description = "COOKIE_BASED_EMPTY_TOKEN_JWT_VULNERABILITY")
+    // @VulnerabilityLevel(
+    // value = LevelEnum.LEVEL_10,
+    // descriptionLabel = "COOKIE_CONTAINING_JWT_TOKEN",
+    // htmlTemplate = "LEVEL_2/JWT_Level2",
+    // parameterName = JWT,
+    // requestParameterLocation = RequestParameterLocation.COOKIE,
+    // sampleValues = {""})
     public ResponseBean<GenericVulnerabilityResponseBean<String>>
             getVulnerablePayloadLevelUnsecure10CookieBased(ParameterBean parameterBean)
                     throws UnsupportedEncodingException, ServiceApplicationException {

diff --git a/src/main/java/org/sasanlabs/service/vulnerability/jwt/keys/JWTAlgorithmKMS.java b/src/main/java/org/sasanlabs/service/vulnerability/jwt/keys/JWTAlgorithmKMS.java
@@ -85,8 +85,6 @@ public Optional<KeyPair> getAsymmetricAlgorithmKey(String algorithm) {
     }
 
     private void loadAsymmetricAlgorithmKeys() {
-        // for (String asymmetricAlgo : asymmetricAlgorithms) {
-        // Keys.keyPairFor(SignatureAlgorithm.valueOf(asymmetricAlgo))
         try {
             KeyStore keyStore = KeyStore.getInstance("PKCS12");
             keyStore.load(
@@ -108,8 +106,6 @@ private void loadAsymmetricAlgorithmKeys() {
                 | UnrecoverableKeyException e) {
             LOGGER.error(e);
         }
-        ;
-        // }
     }
 
     private void initialize() {

diff --git a/src/main/resources/static/vulnerableApp.css b/src/main/resources/static/vulnerableApp.css
@@ -100,7 +100,6 @@ hr {
     height: 1px;
     border: 0;
     border-top: 1px solid black;
-    margin-left: 10%;
     padding: 0;
 }