Merge pull request #148 from timmyteo/feature/CWE-347

Feature/CWE 347

Author: paul-ion

AttackGrams.pptx

@@ -39,6 +39,11 @@
             <artifactId>nashorn-core</artifactId>
             <version>15.4</version>
         </dependency>
+        <dependency>
+            <groupId>com.auth0</groupId>
+            <artifactId>java-jwt</artifactId>
+            <version>4.4.0</version>
+        </dependency>
     </dependencies>
     <build>
         <plugins>

insecureinc/pom.xml

@@ -0,0 +1,76 @@
+<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
+<%@ page import="inc.insecure.*" %>
+<%@ page import="java.util.Date" %>
+<%@ page import="java.util.UUID" %>
+<%@ page import="insecure.inc.Constants" %>
+<%@ page import="com.auth0.jwt.JWT" %>
+<%@ page import="com.auth0.jwt.algorithms.Algorithm" %>
+<%
+String alertVisibility = "hidden";
+String usr = request.getParameter("usr");
+String pwd = request.getParameter("pwd");
+
+if(usr!=null && pwd!=null) { 
+	alertVisibility="";
+	if(usr.equals("demo") && pwd.equals("demo1234")) {
+    Algorithm algorithm = Algorithm.HMAC256("secret");
+    String jwtToken = JWT.create()
+      .withIssuer("Insecure Inc.")
+      .withSubject("demo")
+      .withClaim("role", "read-only")
+      .withIssuedAt(new Date())
+      .withExpiresAt(new Date(new Date().getTime() + 100000L))
+      .withJWTId(UUID.randomUUID().toString())
+      .sign(algorithm);
+
+    Cookie auth = new Cookie("auth", jwtToken);
+    auth.setHttpOnly(true);  
+
+    response.addCookie(auth);
+		response.sendRedirect("cwe347loggedin.jsp");
+	}
+}
+%>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+<title>Improper Verification of Cryptographic Signature</title>
+<link rel="stylesheet" href="public/bootstrap/css/bootstrap.min.css">
+<script src="public/jquery.min.js"></script>
+<script src="public/bootstrap/js/bootstrap.min.js"></script>
+
+</head>
+<body>
+<nav class="navbar navbar-inverse">
+  <div class="container-fluid">
+    <div class="navbar-header">
+      <a class="navbar-brand" href="index.jsp">Insecure Inc.</a>
+    </div>
+    <ul class="nav navbar-nav">
+      <li class="active"><a href="#">cwe347 - Improper Verification of Cryptographic Signature</a></li>
+    </ul>
+  </div>
+</nav>
+<div class="container"> 
+<p>Welcome to cwe347 - Improper Verification of Cryptographic Signature! You can use the following guest account credentials to login, 
+user: <code>demo</code>, password: <code>demo1234</code> </p>
+<form action="cwe347.jsp" autocomplete="off" method="POST">
+<div class="form-group">
+  <label for="usr">Name:</label>
+  <input type="text" class="form-control" id="usr" name="usr">
+</div>
+<!-- disables autocomplete --><input type="text" style="display:none">
+<div class="form-group">
+  <label for="pwd">Password:</label>
+  <input type="password" class="form-control" id="pwd" name="pwd">
+</div>
+<input type="submit" id="submit" class="btn" value="Submit">
+<br><br>
+<div class="alert alert-danger <%=alertVisibility%>">
+  Invalid credentials!
+</div>
+</form>
+</div>
+</body>
+</html>

insecureinc/src/main/webapp/cwe347.jsp

@@ -0,0 +1,81 @@
+<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
+<%@ page import="inc.insecure.*" %>
+<%@ page import="insecure.inc.Constants" %>
+<%@ page import="com.auth0.jwt.JWT" %>
+<%@ page import="com.auth0.jwt.interfaces.DecodedJWT" %>
+<%@ page import="com.auth0.jwt.algorithms.Algorithm" %>
+<%
+
+String authCookieValue = null;
+Cookie[] cookies = request.getCookies();
+
+if(request.getParameter("logout") != null) {
+    Cookie auth = new Cookie("auth", "");
+    auth.setMaxAge(0);
+    response.addCookie(auth);
+	response.sendRedirect("cwe347.jsp?loggedin=false");
+}
+
+if (cookies != null) {
+    for (Cookie cookie : cookies) {
+        if (cookie.getName().equals("auth")) {
+            authCookieValue = cookie.getValue();
+        }
+    }
+}
+
+if(authCookieValue != null) {
+    String role;
+
+    try {
+        DecodedJWT jwt = JWT.decode(authCookieValue);
+        role = jwt.getClaim("role").asString();
+
+        if (role.equals("admin")) {
+            session.setAttribute(Constants.CHALLENGE_ID,"cwe347");
+            response.sendRedirect(Constants.SECRET_PAGE);
+        }
+    } catch(Exception e) {
+        role = e.toString();
+    }
+
+%>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+<title>Guest</title>
+<link rel="stylesheet" href="public/bootstrap/css/bootstrap.min.css">
+<script src="public/jquery.min.js"></script>
+<script src="public/bootstrap/js/bootstrap.min.js"></script>
+
+</head>
+<body>
+<nav class="navbar navbar-inverse">
+  <div class="container-fluid">
+    <div class="navbar-header">
+      <a class="navbar-brand" href="index.jsp">Insecure Inc.</a>
+    </div>
+    <ul class="nav navbar-nav">
+      <li class="active"><a href="#">Guest</a></li>
+    </ul>
+    
+    <ul class="nav navbar-nav navbar-right">
+        <li><a href="cwe347loggedin.jsp?logout=true"><span class="glyphicon glyphicon-log-out"></span> Logout</a></li>
+    </ul>
+    
+  </div>
+</nav>
+<div class="container"> 
+<h1>Welcome to the guest section of the site.  </h1>
+<p>Nothing to do here.</p>
+<p>User role: <%=role%></p>
+</div>
+</body>
+</html>
+<% 
+}
+else {
+    response.sendRedirect("cwe347.jsp?loggedin=false");
+}
+%>

insecureinc/src/main/webapp/cwe347loggedin.jsp

@@ -66,6 +66,7 @@ body {
               		  <li><a href="cwe798.jsp">Use of Hard-coded Credentials</a></li>
                     	  <li><a href="cwe209.jsp">Generation of Error Message Containing Sensitive Information</a></li>
                     	  <li><a href="cwe94.jsp">Improper Control of Generation of Code ('Code Injection')</a></li>
+                          <li><a href="cwe347.jsp">Improper Verification of Cryptographic Signature</a></li>
 		          <li><a href="cwe307.jsp">Improper Restriction of Excessive Authentication Attempts</a></li>
 		          <li><a href="cwe190.jsp">Integer Overflow or Wraparound</a></li>
 		          <li><a href="cwe494.jsp">Download of Code Without Integrity Check</a></li>

insecureinc/src/main/webapp/index.jsp

@@ -0,0 +1,6 @@
+The purpose of this challenge is to demonstrate the MITRE Top 25 programming flaw: 'Improper Verification of Cryptographic Signature'.
+
+> *"The product does not verify, or incorrectly verifies, the cryptographic signature for data."*
+> - From MITRE [CWE 347](https://cwe.mitre.org/data/definitions/347.html) 
+
+The developer of the vulnerable application has implemented authentication using JSON Web Tokens (JWT), but has missed an important aspect of the token verification process. Find a way to elevate your privileges after you have logged in, so that you assume the role of "admin" in the application.

trainingportal/static/lessons/attack-grams/cryptosignature.png

@@ -0,0 +1,13 @@
+### Solution for "Improper Verification of Cryptographic Signature" challenge
+
+Systems that utilize JWT authentication must perform several checks on the token supplied in the request to have a robust authentication mechanism:
+
+- The supplied token signature matches the signature calculated for the body based on the secret only available to the server side application  
+- The token is not expired  
+- If the system implements token revocation, that the token is not revoked  
+
+To pass this challenge: 
+
+- Locate the JWT associated to your login  
+- Modify the token so that the role assigned to the token is "admin" - one useful tool that may help here is [jwt.io](https://jwt.io/)  
+- Submit the modified token to the server to elevate your permissions to admin - notice that the application doesn't validate the JWT signature calculated for the body  

trainingportal/static/lessons/blackBelt/cwe347.md

@@ -29,6 +29,15 @@
                 "solution":"cwe352.sol.md",
                 "playLink":"/cwe352.jsp",
                 "codeBlockIds":["requestForgeryPrevention"]
+            },
+            {
+                "id":"cwe347",
+                "name":"Improper Verification of Cryptographic Signature", 
+                "description": "cwe347.md",
+                "attackGram":"cryptosignature.png",
+                "solution":"cwe347.sol.md",
+                "playLink":"/cwe347.jsp",
+                "codeBlockIds":["serverSideValidation"]
             }
         ]
     },

trainingportal/static/lessons/blackBelt/cwe347.sol.md

@@ -30,7 +30,7 @@
         "name":"Black Belt",
         "summary":"Common software security flaws - part 2",
         "description":"Lessons are entry level difficulty aimed at introducing the concepts of vulnerability, exploit and software defense.",
-        "description2":"Includes 13 lessons. Estimated duration 2 hours.",
+        "description2":"Includes 14 lessons. Estimated duration 2 hours.",
         "badgeInfo":{
             "line1":"Secure Coding",
             "line2":"Black Belt",