-
-
Notifications
You must be signed in to change notification settings - Fork 415
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding more vulnerable levels to JWT Vulnerability #413
Comments
Working on this Karan. |
Hi team! I've been reviewing the work you've done with the JWT vulnerabilities in JWTVulnerability.java and would love to help expand it. I've noticed that some vulnerabilities, such as header parameter injections, are not yet covered. I have some ideas on how we can address this and other attack vectors that might be missing. Could I collaborate with you on this? I'm ready to start working as soon as I get the go-ahead. Thanks and I look forward to contributing! |
@leiberbertel Thanks a lot for going through the codebase. Yeah sure. I have assigned the ticket to you. Thanks, |
Hi Karan! I'll start reviewing everything in detail and will keep you posted on my progress. If there is anything specific you need to discuss or any additional details, feel free to let me know. I really appreciate this opportunity! Greetings, |
Hi Karan, I've linked the issue to the pull request I just created, but it looks like I didn't have the option to assign it to you directly. could you take a look at it when you have a moment, thanks in advance! Regards, |
Hi Karan, I have made the adjustments you suggested in the issue related to the JWT vulnerability. Now the implementation includes the injection of specific headers such as JWK, KID, and JKU. I have configured the logic to have the system validate the JWT using the provided JWK header and performed tests using a manipulated JWT token to confirm that the vulnerability is being handled as expected. I would like you to review the changes to make sure they serve the purpose you mentioned. I look forward to your comments. Thank you. |
Is your feature request related to a problem? Please describe.
We have many levels under JWT Vulnerability https://github.com/SasanLabs/VulnerableApp/blob/master/src/main/java/org/sasanlabs/service/vulnerability/jwt/JWTVulnerability.java but there are few attack vectors which are missing like Header Param injections as described at: https://portswigger.net/web-security/jwt.
There may be few others missing so the task is to include the missing Vulnerabilities.
The text was updated successfully, but these errors were encountered: