Comments (11)
This issue is because of the way the Header Variant of ZAP works, where the header variant doesn't allow to inject payload in Authorization header (and some of the others) as for scan rules like SQL etc there is no need for injecting the payload in the authorization header. However, in the case of JWT scan rule auth header becomes very important. Code: https://github.com/zaproxy/zaproxy/blob/main/zap/src/main/java/org/parosproxy/paros/core/scanner/VariantHeader.java#L107-L108
@psiinon @thc202 @kingthorin how do we handle such use cases for other scan rules? Do we need to add a way to handle these special usecases?
thanks,
Karan
from owasp-zap-jwt-addon.
Detailed email conversation:
Gmail - Regarding the JWT Zap Scanner.pdf
from owasp-zap-jwt-addon.
If an (AbstractAppParamPlugin
) scan rule needs to scan an excluded header it should do so by overriding the scan()
method.
from owasp-zap-jwt-addon.
Hi @thc202,
oh ok, then I need to move the code of scan method into the JWT Scan rule and then manipulate the paramlist of headerVariant, right?
thanks,
Karan
from owasp-zap-jwt-addon.
I was thinking that it would "manually" check for the header and attack it. Since the scan rule is relying on NameValuePair
for the scan you could override scan(List<NameValuePair>)
and call the base method with a copy of that list plus the Authorization header (if present) when they are of the header type.
from owasp-zap-jwt-addon.
hmm yeah, that makes sense.
from owasp-zap-jwt-addon.
PR to fix the issue: #32
from owasp-zap-jwt-addon.
Merged the PR, Now waiting for the release of the addon: zaproxy/zaproxy#7028
from owasp-zap-jwt-addon.
Hi @yaakov123
The newer version of addon is available in market place with this issue's fix. Please try it out.
Thanks,
Karan
from owasp-zap-jwt-addon.
Hey @preetkaran20 👋
I am encountering the same issue with a test app that I've set up for exactly this integration. I am on the latest version of both the owasp zap client (2.14.0) as well as the addon (1.0.3). I see that the addon is available and active in the progress overview, but it does not seem to do any requests while in the request inspector I can see the JWT's being sent in the Authorization header and cookies.
Could you help me out?
I can of course deliver any screenshots/logs you need to assist :)
Thanks in advance!
from owasp-zap-jwt-addon.
Related Issues (18)
- Analysing the Brute force attack.
- Adding Attack vector for finding vulnerabilities related to JWE HOT 3
- Adding Custom Payload support for weak keys/publicly well known secrets HOT 2
- [Analysis] Adding a rule which checks the difference between current time and token's expiry time and raise an alert if difference is more than X minutes
- Integrate change log action
- Add getHelpIndex to Options panel for JWT
- JWT option in fuzzer is not shown if request doesn't contains JWT pattern HOT 4
- Analysis for other attack vectors on JWT HOT 4
- Adding support for Elliptic Curve based vulnerabilities
- Replace forked sharedutils component with use of commonlib HOT 2
- Add support for Java Vuln? (CVE-2022-21449) HOT 2
- Decoding JWT tokens HOT 2
- Adding Header Param Injection attacks
- Create getting started tutorial HOT 2
- Static files leads to False positives HOT 1
- ScanRule Naming Consistency HOT 4
- Inconsistency in Truststore and Private key inputs
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from owasp-zap-jwt-addon.