feat: implement header param injection handling for JWT vulnerabilities

build.gradle

@@ -150,14 +150,19 @@ dependencies {
     implementation group: 'org.json', name: 'json', version: '20190722'
 
 	//https://mvnrepository.com/artifact/com.nimbusds/nimbus-jose-jwt
-    implementation group: 'com.nimbusds', name: 'nimbus-jose-jwt', version: '8.3'
+    implementation group: 'com.nimbusds', name: 'nimbus-jose-jwt', version: '9.31'
 
     // https://mvnrepository.com/artifact/commons-io/commons-io
     implementation group: 'commons-io', name: 'commons-io', version: '2.7'
 
     implementation group: 'io.github.sasanlabs', name: 'facade-schema', version: '1.0.1'
 
     implementation group: 'commons-fileupload', name: 'commons-fileupload', version: '1.5'
+
+    // https://mvnrepository.com/artifact/com.auth0/java-jwt
+    implementation group: 'com.auth0', name: 'java-jwt', version: '4.2.1'
+
+
 }
 
 test {

src/main/java/org/sasanlabs/internal/utility/LevelConstants.java

@@ -18,6 +18,7 @@ public interface LevelConstants {
     String LEVEL_10 = "LEVEL_10";
     String LEVEL_11 = "LEVEL_11";
     String LEVEL_12 = "LEVEL_12";
+    String LEVEL_13 = "LEVEL_13";
 
     static int getOrdinal(String level) {
         if (level.indexOf("_") > 0) {

src/main/java/org/sasanlabs/service/vulnerability/jwt/JWTVulnerability.java

@@ -2,6 +2,12 @@
 
 import static org.sasanlabs.service.vulnerability.jwt.bean.JWTUtils.GENERIC_BASE64_ENCODED_PAYLOAD;
 
+import com.auth0.jwt.JWT;
+import com.nimbusds.jose.JWSVerifier;
+import com.nimbusds.jose.crypto.RSASSAVerifier;
+import com.nimbusds.jose.jwk.JWK;
+import com.nimbusds.jose.jwk.RSAKey;
+import com.nimbusds.jwt.SignedJWT;
 import java.io.UnsupportedEncodingException;
 import java.security.KeyPair;
 import java.security.interfaces.RSAPrivateKey;
@@ -11,6 +17,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
+import javax.servlet.http.HttpServletRequest;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.sasanlabs.internal.utility.LevelConstants;
@@ -662,4 +669,50 @@ private ResponseEntity<GenericVulnerabilityResponseBean<String>> getJWTResponseB
                         true, token, true, CollectionUtils.toMultiValueMap(headers));
         return responseEntity;
     }
+
+    @AttackVector(
+            vulnerabilityExposed = VulnerabilityType.HEADER_INJECTION,
+            description = "HEADER_INJECTION_VULNERABILITY")
+    @VulnerableAppRequestMapping(
+            value = LevelConstants.LEVEL_13,
+            htmlTemplate = "LEVEL_13/HeaderInjection_Level13")
+    public ResponseEntity<GenericVulnerabilityResponseBean<String>> getHeaderInjectionVulnerability(
+            HttpServletRequest request) {
+        String jwtToken = request.getHeader("Authorization");
+        if (jwtToken == null || !jwtToken.startsWith(JWTUtils.BEARER_PREFIX)) {
+            return new ResponseEntity<>(
+                    new GenericVulnerabilityResponseBean<>("No JWT token provided", true),
+                    HttpStatus.BAD_REQUEST);
+        }
+
+        jwtToken = jwtToken.replaceFirst("^" + JWTUtils.BEARER_PREFIX, "").trim();
+
+        try {
+            SignedJWT signedJWT = SignedJWT.parse(jwtToken);
+
+            String jwkHeader = (String) signedJWT.getHeader().toJSONObject().get("jwk");
+
+            if (jwkHeader != null) {
+                JWK jwk = JWK.parse(jwkHeader);
+                RSAKey rsaKey = (RSAKey) jwk;
+                RSAPublicKey publicKey = rsaKey.toRSAPublicKey();
+
+                JWSVerifier verifier = new RSASSAVerifier(publicKey);
+                if (signedJWT.verify(verifier)) {
+                    return new ResponseEntity<>(
+                            new GenericVulnerabilityResponseBean<>(
+                                    "JWK Header Injection Exploited!", false),
+                            HttpStatus.OK);
+                }
+            }
+
+        } catch (Exception e) {
+            return new ResponseEntity<>(
+                    new GenericVulnerabilityResponseBean<>("Invalid JWT", true),
+                    HttpStatus.BAD_REQUEST);
+        }
+
+        return new ResponseEntity<>(
+                new GenericVulnerabilityResponseBean<>("Safe header", true), HttpStatus.OK);
+    }
 }

src/main/java/org/sasanlabs/service/vulnerability/jwt/bean/JWTUtils.java

@@ -37,6 +37,7 @@ public class JWTUtils {
     public static final String JWT_EC_ALGORITHM_IDENTIFIER = "EC";
     public static final String JWT_OCTET_ALGORITHM_IDENTIFIER = "ED";
     public static final String JWT_HMAC_SHA_256_ALGORITHM = "HS256";
+    public static final String BEARER_PREFIX = "Bearer ";
     // TODO need to make it better.
     public static final String HS256_TOKEN_TO_BE_SIGNED =
             "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9."

src/main/java/org/sasanlabs/service/vulnerability/sampleVulnerability/SampleVulnerability.java

@@ -0,0 +1,109 @@
+package org.sasanlabs.service.vulnerability.sampleVulnerability;
+
+import org.sasanlabs.internal.utility.LevelConstants;
+import org.sasanlabs.internal.utility.Variant;
+import org.sasanlabs.internal.utility.annotations.AttackVector;
+import org.sasanlabs.internal.utility.annotations.VulnerableAppRequestMapping;
+import org.sasanlabs.internal.utility.annotations.VulnerableAppRestController;
+import org.sasanlabs.service.vulnerability.bean.GenericVulnerabilityResponseBean;
+import org.sasanlabs.vulnerability.types.VulnerabilityType;
+import org.springframework.web.bind.annotation.RequestParam;
+
+/**
+ * This is a sample vulnerability for helping developers in adding a new Vulnerability for
+ * VulnerableApp
+ *
+ * @author KSASAN [email protected]
+ */
+/**
+ * {@code VulnerableAppRestController} annotation is similar to {@link
+ * org.springframework.stereotype.Controller} Annotation
+ */
+@VulnerableAppRestController(
+        /**
+         * "descriptionLabel" parameter of annotation is i18n label stored in {@link
+         * /VulnerableApp/src/main/resources/i18n/}. This descriptionLabel will be shown in the UI
+         * as the description of the Vulnerability. It helps students to learn about the
+         * vulnerability and can also include some of the useful references etc.
+         */
+        descriptionLabel = "SAMPLE_VULNERABILITY",
+        /**
+         * "value" parameter of annotation is used to create the request mapping. e.g. for the below
+         * parameter value, /VulnerableApp/SampleVulnerability will be created as URI Path.
+         */
+        value = "SampleVulnerability")
+public class SampleVulnerability {
+
+    /**
+     * {@code AttackVector} annotation is used to create the Hints section in the User Interface.
+     * This annotation can be mentioned multiple times in case the same vulnerability level
+     */
+    @AttackVector(
+            /**
+             * "vulnerabilityExposed" parameter is used to depict the Vulnerability exposed by the
+             * level. For example say a level is exposing SQL_INJECTION.
+             */
+            vulnerabilityExposed = VulnerabilityType.SAMPLE_VULNERABILITY,
+            /**
+             * "description" parameter of annotation is i18n label stored in {@link
+             * /VulnerableApp/src/main/resources/i18n/}. This description will be shown in the UI as
+             * hint to give some indication on how the level is handling input to help user to crack
+             * the level.
+             */
+            description = "SAMPLE_VULNERABILITY_USER_INPUT_HANDLING_INJECTION",
+
+            /**
+             * "payload" parameter of annotation is i18n label stored in {@link
+             * /VulnerableApp/src/main/resources/attackvectors/*.properties}. This payload will be
+             * shown in UI to help users find/exploit the vulnerability
+             */
+            payload = "NOT_APPLICABLE")
+    /**
+     * This annotation is similar to {@link RequestMapping} SpringBoot annotation. It will map the
+     * endpoint to /VulnerableApp/SampleVulnerability/LEVEL_1 where LEVEL_1 is coming from the value
+     * parameter.
+     */
+    @VulnerableAppRequestMapping(
+            /**
+             * "value" parameter is used to map the level to URI path
+             * /VulnerableApp/SampleVulnerability/${value}.
+             */
+            value = LevelConstants.LEVEL_1,
+
+            /**
+             * "htmlTemplate" is used to load the UI for the level for taking input from the user.
+             * It points to files in directory
+             * src/main/resource/static/templates/${VulnerabilityName} e.g.
+             * src/main/resource/static/templates/SampleVulnerability as ${htmlTemplate}.js,
+             * ${htmlTemplate}.css, ${htmlTemplate}.html. e.g. in this case it will be:
+             * src/main/resource/static/templates/SampleVulnerability/LEVEL_1/SampleVulnerability_Level1.js
+             * etc
+             *
+             * <p>CSS, JS and HTML are all loaded to render the UI.
+             */
+            htmlTemplate = "LEVEL_1/SampleVulnerability")
+    public GenericVulnerabilityResponseBean<String> sampleUnsecuredLevel(
+            @RequestParam("name") String key) {
+        /** Add Business logic here */
+        return new GenericVulnerabilityResponseBean<>("Not Implemented", true);
+    }
+
+    /** For secured level there is no need for {@link AttackVector} annotation. */
+    @VulnerableAppRequestMapping(
+            value = LevelConstants.LEVEL_2,
+
+            // Can reuse the same UI template in case it doesn't change between levels
+            htmlTemplate = "LEVEL_1/SampleVulnerability",
+            /**
+             * "variant" parameter defines whether the level is secure or not and same is depicted
+             * in the UI as a closed lock and open lock icon. Default value of the variant is
+             * UNSECURE so in case a secure level is added, please add the variant as {@link
+             * Variant#SECURE}
+             */
+            variant = Variant.SECURE)
+    public GenericVulnerabilityResponseBean<String> sampleSecuredLevel(
+            @RequestParam("name") String key) {
+        /** Add Business logic here */
+        return new GenericVulnerabilityResponseBean<>("Not Implemented", true);
+    }
+}

src/main/java/org/sasanlabs/vulnerability/types/VulnerabilityType.java

@@ -21,7 +21,7 @@ public enum VulnerabilityType {
     CLIENT_SIDE_VULNERABLE_JWT(null, null),
     SERVER_SIDE_VULNERABLE_JWT(null, null),
     INSECURE_CONFIGURATION_JWT(null, null),
-
+    HEADER_INJECTION(20, 20),
     PATH_TRAVERSAL(22, 33),
 
     COMMAND_INJECTION(77, 31),

src/main/resources/i18n/messages_en_US.properties

@@ -285,4 +285,7 @@ SSRF_VULNERABILITY_URL_WITHOUT_CHECK=No validation on the provided URL.
 SSRF_VULNERABILITY_URL_IF_NOT_FILE_PROTOCOL=file:// protocol is not allowed for the provided URL.
 SSRF_VULNERABILITY_URL_IF_NOT_FILE_PROTOCOL_AND_169.254.169.254=file:// protocol as well as access to internal metadata service IP 169.254.169.254 is not allowed.
 SSRF_VULNERABILITY_URL_IF_NOT_FILE_PROTOCOL_AND_INTERNAL_METADATA_URL=file:// protocol as well as access to internal metadata service is not allowed.
-SSRF_VULNERABILITY_URL_ONLY_IF_IN_THE_WHITELIST=Only Whitelisted URL is allowed.
+SSRF_VULNERABILITY_URL_ONLY_IF_IN_THE_WHITELIST=Only Whitelisted URL is allowed.
+
+# JWT Injection Header
+HEADER_INJECTION_VULNERABILITY=It tests how a JWT header can be manipulated to alter the signature verification.

src/main/resources/i18n/messages_es.properties

@@ -228,6 +228,8 @@ COOKIE_BASED_KEY_CONFUSION_JWT_VULNERABILITY=Validador de token JWT basado en co
 COOKIE_BASED_FOR_JWK_HEADER_BASED_JWT_VULNERABILITY=Validador de token JWT basado en cookies, vulnerable por confianza en el campo JWK sin chequear antes si la clave pública provista está presente en TrustStore o no.
 COOKIE_BASED_EMPTY_TOKEN_JWT_VULNERABILITY=Token JWT basado en cookies, vulnerable por el ataque de token vacío.
 
+# JWT Injection Header
+HEADER_INJECTION_VULNERABILITY=Prueba cómo un encabezado JWT puede ser manipulado para alterar la verificación de la firma.
 
 
 # SQL Injection Vulnerability

src/main/resources/static/templates/JWTVulnerability/LEVEL_13/HeaderInjection_Level13.css

@@ -0,0 +1,36 @@
+#header_injection_level_13 {
+    color: black;
+    text-align: justify;
+}
+
+#enterHeader {
+    font-size: 15px;
+    display: flex;
+    margin: 10px;
+    flex-direction: column;
+}
+
+#headerName, #headerValue {
+    flex: 1;
+    word-wrap: break-word;
+    margin-top: 10px;
+}
+
+#headerResponse {
+    font-size: 15px;
+    word-wrap: break-word;
+    text-align: center;
+    margin: 10px;
+}
+
+#sendHeader {
+    background: blueviolet;
+    display: inline-block;
+    padding: 4px 4px;
+    margin: 10px;
+    border: 1px solid transparent;
+    border-radius: 2px;
+    transition: 0.2s opacity;
+    color: #FFF;
+    font-size: 12px;
+}

src/main/resources/static/templates/JWTVulnerability/LEVEL_13/HeaderInjection_Level13.html

@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <title>Header Injection</title>
+</head>
+<body>
+<div id="header_injection_level_13">
+    <div>
+        <div id="enterHeader">
+            <div>Header Name:</div>
+            <input type="text" id="headerName" placeholder="Enter header name" />
+            <div>Header Value:</div>
+            <input type="text" id="headerValue" placeholder="Enter header value" />
+        </div>
+        <button id="sendHeader">Send Header</button>
+        <div id="headerResponse"></div>
+    </div>
+</div>
+
+</body>
+</html>

src/main/resources/static/templates/JWTVulnerability/LEVEL_13/HeaderInjection_Level13.js

@@ -0,0 +1,27 @@
+function addEventListenerToSendHeaderButton() {
+  document.getElementById("sendHeader").addEventListener("click", function () {
+    const headerName = document.getElementById("headerName").value;
+    const headerValue = document.getElementById("headerValue").value;
+
+    let url = getUrlForVulnerabilityLevel();
+
+    const manipulatedJwt =
+      "eyJhbGciOiJSUzI1NiIsImtpZCI6Im1hbGljaW91cy1rZXktaWQifQ.eyJzdWIiOiJleGFtcGxldXNlciIsIm5hbWUiOiJKV1QgVXNlciIsImlhdCI6MTYwOTAxMjAwMH0.c7qHUq1HbHj8AWjKbcIYH2NZnE6PtNyXTnJTWZELvFbfbFhc5BQ_w8e24fXL2OzhhOT5qHVzFvHgOeEYFLZNGEDlJhF4o76yHsMJdWQFL4I5uZjG0o8XV0HjDdM7GqEmx2j0JHi6vJ8Q3pIqGzUBmb7bgzD4kENnP-UqfkbNl2ykYZ9Nybw_E7CAV4OxuqE4QyIpZV2VttWjefK3c6TIj9hNWvYYgipKwHFLXbOV-rOZ6K-_H_4D-kbr0LKPPX-s4b11o0wtS3y1FiHDXEvsmEjhRApEc_jk5uZY-AGPUc9Nl9t6iT_Nh1Q8Usz-jZifg03NwumJjDNtz-nS7gzg";
+
+    doGetAjaxCall(
+      function (data) {
+        document.getElementById("headerResponse").innerHTML = data.isValid
+          ? "Header Injection was successful!"
+          : "Header Injection failed. Please try again.";
+      },
+      url,
+      true,
+      {
+        [headerName]: headerValue,
+        Authorization: `Bearer ${manipulatedJwt}`,
+      }
+    );
+  });
+}
+
+addEventListenerToSendHeaderButton();

src/main/resources/static/templates/SampleVulnerability/LEVEL_1/SampleVulnerability.css

@@ -0,0 +1,16 @@
+#SampleVulnerability {
+    color: black;
+    text-align: center;
+}
+
+#fetchDetails {
+    background: blueviolet;
+    display: inline-block;
+    padding: 8px 8px;
+    margin: 10px;
+    border: 2px solid transparent;
+    border-radius: 3px;
+    transition: 0.2s opacity;
+    color: #FFF;
+    font-size: 12px;
+}

src/main/resources/static/templates/SampleVulnerability/LEVEL_1/SampleVulnerability.html

@@ -0,0 +1,9 @@
+<div id="SampleVulnerability">
+	<div>
+		<div id="level_info">
+			This is a Sample Vulnerability. please add the UI components here.
+		</div>
+		<button id=fetchDetails>Click Here</button>
+		<div id="response"></div>
+	</div>
+</div>

src/main/resources/static/templates/SampleVulnerability/LEVEL_1/SampleVulnerability.js

@@ -0,0 +1,23 @@
+function addingEventListenerToFetchData() {
+  document
+    .getElementById("fetchDetails")
+    .addEventListener("click", function () {
+      /**
+       * getUrlForVulnerabilityLevel() method provides url to call the Vulnerability Level
+       * of Sample Vulnerability.
+       * e.g. /VulnerableApp/SampleVulnerability/LEVEL_1 for LEVEL_1
+       */
+      let url = getUrlForVulnerabilityLevel();
+      /**
+       * doGetAjaxCall() method is used to do the ajax get call to the Vulnerability Level
+       */
+      doGetAjaxCall(fetchDataCallback, url + "?name=dummyInput", true);
+    });
+}
+// Used to register event on the button or any other component
+addingEventListenerToFetchData();
+
+//Callback function to handle the response and render in the UI
+function fetchDataCallback(data) {
+  document.getElementById("response").innerHTML = data.content;
+}