Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: implement header param injection handling for JWT vulnerabilities #473

Open
wants to merge 9 commits into
base: master
Choose a base branch
from
Open

feat: implement header param injection handling for JWT vulnerabilities #473

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
0c23ff9
feat: implement header param injection handling for JWT vulnerabilities
leiberbertel Aug 19, 2024
4812d61
apply spotless
leiberbertel Aug 19, 2024
262afac
apply spotless again
leiberbertel Aug 19, 2024
ebcae74
fix: modified to meet requirements
leiberbertel Sep 28, 2024
be4751a
style: apply spotless
leiberbertel Sep 28, 2024
b7cea19
fix: Maintain implementation so as not to be dependent on external de…
leiberbertel Oct 3, 2024
672b4ea
chore: removes unnecessary dependence
leiberbertel Nov 10, 2024
324fa33
refactor: removes unnecessary import
leiberbertel Nov 10, 2024
261ea39
refactor: remove boilerplate
leiberbertel Nov 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions src/main/java/org/sasanlabs/internal/utility/LevelConstants.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ public interface LevelConstants {
String LEVEL_10 = "LEVEL_10";
String LEVEL_11 = "LEVEL_11";
String LEVEL_12 = "LEVEL_12";
String LEVEL_13 = "LEVEL_13";

static int getOrdinal(String level) {
if (level.indexOf("_") > 0) {
Expand Down
19 changes: 19 additions & 0 deletions src/main/java/org/sasanlabs/service/vulnerability/jwt/JWTVulnerability.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@
import java.util.List;
import java.util.Map;
import java.util.Optional;
import javax.servlet.http.HttpServletRequest;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.sasanlabs.internal.utility.LevelConstants;
Expand Down Expand Up @@ -662,4 +663,22 @@ private ResponseEntity<GenericVulnerabilityResponseBean<String>> getJWTResponseB
true, token, true, CollectionUtils.toMultiValueMap(headers));
return responseEntity;
}

@AttackVector(
vulnerabilityExposed = VulnerabilityType.HEADER_INJECTION,
description = "HEADER_INJECTION_VULNERABILITY_EXAMPLE")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please update the Locale Key for description.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, I have updated it

@VulnerableAppRequestMapping(
value = LevelConstants.LEVEL_13,
htmlTemplate = "LEVEL_13/HeaderInjection_Level13")
public ResponseEntity<GenericVulnerabilityResponseBean<String>> getHeaderInjectionVulnerability(
Copy link
Member

@preetkaran20 preetkaran20 Sep 29, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry but there is a Level9 which has JWK based vulnerability.
How about converting it into a secure level as an extension of level 9 where we always validate JWK header against a set of public keys and only allow if it is part of them ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@leiberbertel it is fine to have another vulnerability with same functionality as well.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand, thanks for the confirmation:).

HttpServletRequest request) {
String headerValue = request.getHeader("User-Defined-Header");
if (headerValue != null && headerValue.contains("malicious")) {
Copy link
Member

@preetkaran20 preetkaran20 Aug 24, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@leiberbertel I think this is not the right way to implement the header param injection. The real vulnerability is with optional headers like JWK or KID or JKU as implemention of library will start relying on the data provided as part of these headers for verifying signature.

Having custom/user defined headers is not wrong or considered malicious.

A simple attack is say JWT library is relying on the public key provided as part of JWK header instead of validating the public key provided with the whitelisted public key set. so attack would be a malicious user will generate key pairs and sign the jwt with its own private key and passed public key as JWK header. The backend will not validate public key against a whitelist and start relying on provided public key to validate the JWT.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @preetkaran20,
I really appreciate your detailed review and the points you highlighted. I completely agree that attacks via headers such as JWK, KID or JKU pose a significant threat, especially when the implementation does not properly validate public keys against a trusted set.

My intent with the current implementation was to demonstrate how user-defined headers can be manipulated, but I see that focusing on these critical headers such as JWK could provide a more realistic and educational example of common vulnerabilities in JWTs.

I will revise the implementation to incorporate these examples, ensuring that we clearly demonstrate how the lack of proper validation of public keys can be exploited.

Regards.

return new ResponseEntity<>(
new GenericVulnerabilityResponseBean<>("Vulnerability exploited!", false),
HttpStatus.OK);
}
return new ResponseEntity<>(
new GenericVulnerabilityResponseBean<>("Safe header", true), HttpStatus.OK);
}
}
2 changes: 1 addition & 1 deletion src/main/java/org/sasanlabs/vulnerability/types/VulnerabilityType.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ public enum VulnerabilityType {
CLIENT_SIDE_VULNERABLE_JWT(null, null),
SERVER_SIDE_VULNERABLE_JWT(null, null),
INSECURE_CONFIGURATION_JWT(null, null),

HEADER_INJECTION(20, 20),
PATH_TRAVERSAL(22, 33),

COMMAND_INJECTION(77, 31),
Expand Down
5 changes: 4 additions & 1 deletion src/main/resources/i18n/messages_en_US.properties
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -285,4 +285,7 @@ SSRF_VULNERABILITY_URL_WITHOUT_CHECK=No validation on the provided URL.
SSRF_VULNERABILITY_URL_IF_NOT_FILE_PROTOCOL=file:// protocol is not allowed for the provided URL.
SSRF_VULNERABILITY_URL_IF_NOT_FILE_PROTOCOL_AND_169.254.169.254=file:// protocol as well as access to internal metadata service IP 169.254.169.254 is not allowed.
SSRF_VULNERABILITY_URL_IF_NOT_FILE_PROTOCOL_AND_INTERNAL_METADATA_URL=file:// protocol as well as access to internal metadata service is not allowed.
SSRF_VULNERABILITY_URL_ONLY_IF_IN_THE_WHITELIST=Only Whitelisted URL is allowed.
SSRF_VULNERABILITY_URL_ONLY_IF_IN_THE_WHITELIST=Only Whitelisted URL is allowed.

# JWT Injection Header
HEADER_INJECTION_VULNERABILITY_EXAMPLE=Header Injection Vulnerability Example
2 changes: 2 additions & 0 deletions src/main/resources/i18n/messages_es.properties
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -228,6 +228,8 @@ COOKIE_BASED_KEY_CONFUSION_JWT_VULNERABILITY=Validador de token JWT basado en co
COOKIE_BASED_FOR_JWK_HEADER_BASED_JWT_VULNERABILITY=Validador de token JWT basado en cookies, vulnerable por confianza en el campo JWK sin chequear antes si la clave pública provista está presente en TrustStore o no.
COOKIE_BASED_EMPTY_TOKEN_JWT_VULNERABILITY=Token JWT basado en cookies, vulnerable por el ataque de token vacío.

# JWT Injection Header
HEADER_INJECTION_VULNERABILITY_EXAMPLE=Ejemplo de vulnerabilidad de inyección de encabezado


# SQL Injection Vulnerability
Expand Down
36 changes: 36 additions & 0 deletions src/main/resources/static/templates/JWTVulnerability/LEVEL_13/HeaderInjection_Level13.css
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
#header_injection_level_13 {
color: black;
text-align: justify;
}

#enterHeader {
font-size: 15px;
display: flex;
margin: 10px;
flex-direction: column;
}

#headerName, #headerValue {
flex: 1;
word-wrap: break-word;
margin-top: 10px;
}

#headerResponse {
font-size: 15px;
word-wrap: break-word;
text-align: center;
margin: 10px;
}

#sendHeader {
background: blueviolet;
display: inline-block;
padding: 4px 4px;
margin: 10px;
border: 1px solid transparent;
border-radius: 2px;
transition: 0.2s opacity;
color: #FFF;
font-size: 12px;
}
22 changes: 22 additions & 0 deletions src/main/resources/static/templates/JWTVulnerability/LEVEL_13/HeaderInjection_Level13.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Header Injection</title>
</head>
<body>
<div id="header_injection_level_13">
<div>
<div id="enterHeader">
<div>Header Name:</div>
<input type="text" id="headerName" placeholder="Enter header name" />
<div>Header Value:</div>
<input type="text" id="headerValue" placeholder="Enter header value" />
</div>
<button id="sendHeader">Send Header</button>
<div id="headerResponse"></div>
</div>
</div>

</body>
</html>
23 changes: 23 additions & 0 deletions src/main/resources/static/templates/JWTVulnerability/LEVEL_13/HeaderInjection_Level13.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
function addEventListenerToSendHeaderButton() {
document.getElementById("sendHeader").addEventListener("click", function () {
const headerName = document.getElementById("headerName").value;
const headerValue = document.getElementById("headerValue").value;

let url = getUrlForVulnerabilityLevel();

doGetAjaxCall(
function (data) {
document.getElementById("headerResponse").innerHTML = data.isValid
? "Header Injection was successful!"
: "Header Injection failed. Please try again.";
},
url,
true,
{
[headerName]: headerValue,
}
);
});
}

addEventListenerToSendHeaderButton();
7 changes: 6 additions & 1 deletion src/main/resources/static/vulnerableApp.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -235,7 +235,7 @@ function genericResponseHandler(xmlHttpRequest, callBack, isJson) {
}
}

function doGetAjaxCall(callBack, url, isJson) {
function doGetAjaxCall(callBack, url, isJson, headers = {}) {
let xmlHttpRequest = new XMLHttpRequest();
xmlHttpRequest.onreadystatechange = function () {
genericResponseHandler(xmlHttpRequest, callBack, isJson);
Expand All @@ -245,6 +245,11 @@ function doGetAjaxCall(callBack, url, isJson) {
"Content-Type",
isJson ? "application/json" : "text/html"
);

for (const header in headers) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this change.

xmlHttpRequest.setRequestHeader(header, headers[header]);
}

xmlHttpRequest.send();
}

Expand Down
Loading