Implemented JWT Vulnerabilities (#151)

* Implemented JWT invalid signature vulnerability

* Implemented JWT algorithm confusion vulnerability

* Implemented JWT KID Path Traversal and JKU Misuse vulnerability

* Updated Documentation

Author: nikhil-rajesh

docs/challengeSolutions.md

@@ -102,4 +102,32 @@ The above challenge was completed using Burp Suite Community Edition.
 
 ### Challenge 14 - Find an endpoint that does not perform authentication checks for a user.
 
+## JWT Vulnerabilities
+
+## [Challenge 15 - Find a way to forge valid JWT Tokens](challenges.md#challenge-15---find-a-way-to-forge-valid-jwt-tokens)
+
+#### Detailed Solution
+
+##### crAPI is vulnerable to to the following JWT Vulnerabilities
+1. JWT Algorithm Confusion Vulnerability
+   - crAPI uses RS256 JWT Algorithm by default
+   - Public Key to verify JWT is available at http://localhost:8888/.well-known/jwks.json
+   - Convert the public key to base64 encoded form and use it as a secret to create a JWT in HS256 Algorithm
+   - This JWT will be accepted as a valid JWT Token by crAPI
+2. Invalid Signature Vulnerability
+   - User Dashboard API is not validating JWT signature
+   - Create a JWT with `sub` header set to a different user's email
+   - With the above JWT you will be able to extract user data from user dashboard API endpoint
+3. JKU Misuse Vulnerability
+   - crAPI will verify JWT token with any public key that is pointed to by the `jku` JWT header
+   - Create your own public/private key pair and sign a JWT in RS256 Algorithm
+   - Host the public key somewhere in JWK format
+   - Pass the public key URL in `jku` header of the JWT with appropriate `kid` header
+   - This JWT will be accepted as a valid JWT Token by crAPI
+4. KID Path Traversal Vulnerability
+   - Set the `kid` header of JWT to `../../../../../../dev/null`
+   - Create a custom JWT in HS256 algorithm with secret as `AA==`
+     - `AA==` is the Base64 encoded form of Hex null byte `00`
+   - This JWT will be accepted as a valid JWT Token by crAPI
+
 ## << 2 secret challenges >>

docs/challenges.md

@@ -93,6 +93,12 @@ After solving the "Find an API endpoint that leaks an internal property of video
 
 ### Challenge 14 - Find an endpoint that does not perform authentication checks for a user.
 
+## JWT Vulnerabilities
+
+### Challenge 15 - Find a way to forge valid JWT Tokens
+
+JWT Authentication in crAPI is vulnerable to various attacks. Find any one way to forge a valid JWT token and get full access to the platform.
+
 ## << 2 secret challenges >>
 
 There are two more secret challenges in crAPI, that are pretty complex, and for now we don’t share details about them, except the fact they are really cool. 

services/identity/src/main/java/com/crapi/config/JwtAuthTokenFilter.java

@@ -17,7 +17,7 @@
 import com.crapi.enums.EStatus;
 import com.crapi.service.Impl.UserDetailsServiceImpl;
 import java.io.IOException;
-import java.io.UnsupportedEncodingException;
+import java.text.ParseException;
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
@@ -87,8 +87,7 @@ public String getJwt(HttpServletRequest request) {
    * @return return username from HttpServletRequest if request have token we are returning username
    *     from request token
    */
-  public String getUserFromToken(HttpServletRequest request) throws UnsupportedEncodingException {
-
+  public String getUserFromToken(HttpServletRequest request) throws ParseException {
     String jwt = getJwt(request);
     if (jwt != null && tokenProvider.validateJwtToken(jwt)) {
       String username = tokenProvider.getUserNameFromJwtToken(jwt);

services/identity/src/main/java/com/crapi/config/JwtProvider.java

@@ -17,14 +17,20 @@
 import com.crapi.entity.User;
 import com.google.gson.Gson;
 import com.google.gson.GsonBuilder;
-import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.*;
+import com.nimbusds.jose.crypto.RSASSAVerifier;
 import com.nimbusds.jose.jwk.JWK;
 import com.nimbusds.jose.jwk.JWKSet;
 import com.nimbusds.jose.jwk.RSAKey;
+import com.nimbusds.jwt.JWTParser;
+import com.nimbusds.jwt.SignedJWT;
 import io.jsonwebtoken.*;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.net.URI;
+import java.net.URLConnection;
+import java.nio.charset.StandardCharsets;
 import java.security.KeyPair;
 import java.text.ParseException;
 import java.util.*;
@@ -43,6 +49,8 @@ public class JwtProvider {
 
   private KeyPair keyPair;
 
+  private RSAKey publicRSAKey;
+
   private Map<String, Object> publicJwkSet;
 
   public JwtProvider(@Value("${app.jwksJson}") String jwksJson) {
@@ -56,14 +64,15 @@ public JwtProvider(@Value("${app.jwksJson}") String jwksJson) {
       }
 
       RSAKey rsaKey = keys.get(0).toRSAKey();
+      this.publicRSAKey = rsaKey.toPublicJWK();
       this.keyPair = rsaKey.toKeyPair();
       this.publicJwkSet = jwkSet.toJSONObject();
     } catch (IOException | ParseException | JOSEException e) {
       throw new RuntimeException(e);
     }
   }
 
-  public String getPublicJwk() {
+  public String getPublicJwkSet() {
     Gson gson = new GsonBuilder().setPrettyPrinting().create();
     return gson.toJson(this.publicJwkSet);
   }
@@ -86,12 +95,45 @@ public String generateJwtToken(User user) {
    * @param token
    * @return username from JWT Token
    */
-  public String getUserNameFromJwtToken(String token) {
-    return Jwts.parser()
-        .setSigningKey(this.keyPair.getPublic())
-        .parseClaimsJws(token)
-        .getBody()
-        .getSubject();
+  public String getUserNameFromJwtToken(String token) throws ParseException {
+    // Parse without verifying token signature
+    return JWTParser.parse(token).getJWTClaimsSet().getSubject();
+  }
+
+  // Load RSA Public Key for JKU header if present
+  private RSAKey getKeyFromJkuHeader(JWSHeader header) {
+    try {
+      URI jku = header.getJWKURL();
+      if (jku != null) {
+        URLConnection connection = jku.toURL().openConnection();
+        JWKSet jwkSet = JWKSet.load(connection.getInputStream());
+        logger.info("JWKSet from URL : " + jwkSet.toString(false));
+        JWK key = jwkSet.getKeyByKeyId(header.getKeyID());
+        if (key != null && Objects.equals(key.getAlgorithm().getName(), "RS256")) {
+          return key.toRSAKey().toPublicJWK();
+        }
+      }
+    } catch (IOException | ParseException e) {
+      return null;
+    }
+
+    return null;
+  }
+
+  // Construct secret for JWT Verification through HS256 (vulnerability)
+  private String getJwtSecret(JWSHeader header) throws JOSEException {
+    // defaultSecret is RSA Public Key as String
+    // Algorithm Confusion Attack
+    Base64.Encoder encoder = Base64.getEncoder();
+    String defaultSecret = encoder.encodeToString(this.publicRSAKey.toPublicKey().getEncoded());
+
+    // Check if KID header is pointing to /dev/null file
+    String kid = header.getKeyID();
+    if (kid != null && kid.contains("/dev/null")) {
+      return "AA==";
+    }
+
+    return defaultSecret;
   }
 
   /**
@@ -100,20 +142,36 @@ public String getUserNameFromJwtToken(String token) {
    */
   public boolean validateJwtToken(String authToken) {
     try {
-      Jwts.parser().setSigningKey(this.keyPair.getPublic()).parseClaimsJws(authToken);
-      return true;
-    } catch (SignatureException e) {
-      logger.error("Invalid JWT signature -> Message: %d ", e);
-    } catch (MalformedJwtException e) {
-      logger.error("Invalid JWT token -> Message: %d", e);
-    } catch (ExpiredJwtException e) {
-      logger.error("Expired JWT token -> Message: %d", e);
-    } catch (UnsupportedJwtException e) {
-      logger.error("Unsupported JWT token -> Message: %d", e);
-    } catch (IllegalArgumentException e) {
-      logger.error("JWT claims string is empty -> Message: %d", e);
-      //    } catch (UnsupportedEncodingException e) {
-      //      logger.error("Unable to convert into byte -> Message: %d", e);
+      SignedJWT signedJWT = SignedJWT.parse(authToken);
+      JWSHeader header = signedJWT.getHeader();
+      Algorithm alg = header.getAlgorithm();
+
+      // JWT Algorithm confusion vulnerability
+      logger.info("Algorithm: " + alg.getName());
+      if (Objects.equals(alg.getName(), "HS256")) {
+        String secret = getJwtSecret(header);
+        logger.info("JWT Secret: " + secret);
+        Jwts.parser()
+            .setSigningKey(secret.getBytes(StandardCharsets.UTF_8))
+            .parseClaimsJws(authToken);
+        return true;
+      } else {
+        RSAKey verificationKey = getKeyFromJkuHeader(header);
+        JWSVerifier verifier;
+        if (verificationKey == null) {
+          verifier = new RSASSAVerifier(this.publicRSAKey);
+        } else {
+          logger.info("Key from JKU: " + verificationKey.toJSONString());
+          verifier = new RSASSAVerifier(verificationKey);
+        }
+
+        return signedJWT.verify(verifier);
+      }
+
+    } catch (ParseException e) {
+      logger.error("Could not parse JWT Token -> Message: %d", e);
+    } catch (JOSEException e) {
+      logger.error("RSA JWK Extraction failed -> Message: %d", e);
     }
 
     return false;

services/identity/src/main/java/com/crapi/config/WebSecurityConfig.java

@@ -79,7 +79,8 @@ protected void configure(HttpSecurity http) throws Exception {
         .csrf()
         .disable()
         .authorizeRequests()
-        .antMatchers("/identity/api/auth/**", "/identity/health_check")
+        .antMatchers(
+            "/identity/api/auth/**", "/identity/health_check", "/identity/api/v2/user/dashboard")
         .permitAll()
         .anyRequest()
         .authenticated()

services/identity/src/main/java/com/crapi/controller/AuthController.java

@@ -102,7 +102,7 @@ public ResponseEntity<CRAPIResponse> verifyJwtToken(
 
   @GetMapping("/jwks.json")
   public ResponseEntity<String> verifyJwtToken() {
-    return ResponseEntity.status(HttpStatus.OK).body(jwtProvider.getPublicJwk());
+    return ResponseEntity.status(HttpStatus.OK).body(jwtProvider.getPublicJwkSet());
   }
 
   /**

services/identity/src/main/java/com/crapi/service/Impl/UserServiceImpl.java

@@ -28,7 +28,7 @@
 import com.crapi.utils.EmailTokenGenerator;
 import com.crapi.utils.MailBody;
 import com.crapi.utils.SMTPMailServer;
-import java.io.UnsupportedEncodingException;
+import java.text.ParseException;
 import javax.servlet.http.HttpServletRequest;
 import javax.transaction.Transactional;
 import org.apache.logging.log4j.LogManager;
@@ -77,8 +77,7 @@ public UserServiceImpl() {
 
   @Transactional
   @Override
-  public JwtResponse authenticateUserLogin(LoginForm loginForm)
-      throws UnsupportedEncodingException, BadCredentialsException {
+  public JwtResponse authenticateUserLogin(LoginForm loginForm) throws BadCredentialsException {
     JwtResponse jwtResponse = new JwtResponse();
     Authentication authentication = null;
     if (loginForm.getEmail() != null) {
@@ -115,7 +114,7 @@ public JwtResponse authenticateUserLogin(LoginForm loginForm)
   }
 
   /**
-   * @param verifyTokenRequest contains JWT token to be verified
+   * @param token contains JWT token to be verified
    * @return boolean with token valid or not
    */
   @Transactional
@@ -172,7 +171,9 @@ public DashboardResponse getUserByRequestToken(HttpServletRequest request) {
     DashboardResponse dashboardResponse;
     ProfileVideo profileVideo;
     try {
-      user = getUserFromToken(request);
+      // Invalid Signature vulnerability
+      // Not Checking the validity of the token for this request
+      user = getUserFromTokenWithoutValidation(request);
       userDetails = userDetailsRepository.findByUser_id(user.getId());
       profileVideo = profileVideoRepository.findByUser_id(user.getId());
       dashboardResponse =
@@ -297,12 +298,34 @@ public User getUserFromToken(HttpServletRequest request) {
       } else {
         throw new EntityNotFoundException(User.class, "userEmail", username);
       }
-    } catch (UnsupportedEncodingException exception) {
+    } catch (ParseException exception) {
       logger.error("fail to get username from token -> Message:%d", exception);
       throw new EntityNotFoundException(User.class, "userEmail", username);
     }
   }
 
+  @Transactional
+  @Override
+  public User getUserFromTokenWithoutValidation(HttpServletRequest request) {
+    User user = null;
+    try {
+      String jwt = jwtAuthTokenFilter.getJwt(request);
+      String username = jwtProvider.getUserNameFromJwtToken(jwt);
+      if (username != null && !username.equalsIgnoreCase(EStatus.INVALID.toString())) {
+        user = userRepository.findByEmail(username);
+      }
+
+      if (user != null) {
+        return user;
+      } else {
+        throw new EntityNotFoundException(User.class, "userEmail", username);
+      }
+    } catch (ParseException exception) {
+      logger.error("fail to get username from token -> Message:%d", exception);
+      throw new EntityNotFoundException(User.class, "userEmail");
+    }
+  }
+
   /**
    * @param loginWithEmailToken contains user email and email change token, which allow user login
    *     with email token
@@ -319,7 +342,7 @@ else if (loginWithEmailToken.getToken() == null)
   }
 
   /**
-   * @param loginWithEmailTokenV2 contains user email and email change token, which allow user login
+   * @param loginWithEmailToken contains user email and email change token, which allow user login
    *     with email token
    * @return check user and token and return jwt token for user.
    */

services/identity/src/main/java/com/crapi/service/UserService.java

@@ -36,6 +36,8 @@ CRAPIResponse resetPassword(LoginForm loginForm, HttpServletRequest request)
 
   User getUserFromToken(HttpServletRequest request);
 
+  User getUserFromTokenWithoutValidation(HttpServletRequest request);
+
   CRAPIResponse loginWithEmailToken(LoginWithEmailToken loginWithEmailToken);
 
   JwtResponse loginWithEmailTokenV2(LoginWithEmailToken loginWithEmailToken);

services/identity/src/test/java/com/crapi/service/Impl/UserServiceImplTest.java

@@ -39,6 +39,7 @@
 import com.crapi.service.VehicleService;
 import com.crapi.utils.SMTPMailServer;
 import java.io.UnsupportedEncodingException;
+import java.text.ParseException;
 import lombok.SneakyThrows;
 import org.apache.logging.log4j.core.Appender;
 import org.apache.logging.log4j.core.LogEvent;
@@ -106,8 +107,7 @@ public void resetPasswordThrowsExceptionWhenUserNotFound() {
   }
 
   @Test(expected = EntityNotFoundException.class)
-  public void testGetUserFromTokenThrowsExceptionWhenUserNotFound()
-      throws UnsupportedEncodingException {
+  public void testGetUserFromTokenThrowsExceptionWhenUserNotFound() throws ParseException {
     Mockito.when(jwtAuthTokenFilter.getUserFromToken(Mockito.any())).thenReturn(null);
     userService.getUserFromToken(getMockHttpRequest());
   }
@@ -118,8 +118,8 @@ public void testGetUserFromToken() {
     User user = getDummyUser();
     try {
       Mockito.when(jwtAuthTokenFilter.getUserFromToken(Mockito.any())).thenReturn(user.getEmail());
-    } catch (UnsupportedEncodingException e) {
-      logger.error("UnsupportedEncodingException");
+    } catch (ParseException e) {
+      logger.error("ParseException");
     }
     Assertions.assertEquals(userService.getUserFromToken(getMockHttpRequest()), user);
     Mockito.when(userRepository.findByEmail(Mockito.any())).thenReturn(user);
@@ -204,7 +204,7 @@ public void getUserByRequestTokenRequestSuccessFull() {
     User user = getDummyUser();
     UserDetails userDetails = getDummyUserDetails();
     ProfileVideo profileVideo = getDummyProfileVideo();
-    Mockito.doReturn(user).when(userService).getUserFromToken(Mockito.any());
+    Mockito.doReturn(user).when(userService).getUserFromTokenWithoutValidation(Mockito.any());
     userDetailsRepository.findByUser_id(user.getId());
     Mockito.when(userDetailsRepository.findByUser_id(Mockito.anyLong())).thenReturn(userDetails);
     Mockito.when(profileVideoRepository.findByUser_id(Mockito.anyLong()))
@@ -220,7 +220,7 @@ public void getUserByRequestTokenRequestSuccessFull() {
   public void getUserByRequestTokenRequestSuccessFullWhenUserDetailsNull() {
     User user = getDummyUser();
     ProfileVideo profileVideo = getDummyProfileVideo();
-    Mockito.doReturn(user).when(userService).getUserFromToken(Mockito.any());
+    Mockito.doReturn(user).when(userService).getUserFromTokenWithoutValidation(Mockito.any());
     userDetailsRepository.findByUser_id(user.getId());
     Mockito.when(userDetailsRepository.findByUser_id(Mockito.anyLong())).thenReturn(null);
     Mockito.when(profileVideoRepository.findByUser_id(Mockito.anyLong()))
@@ -237,7 +237,7 @@ public void getUserByRequestTokenRequestSuccessFullWhenUserDetailsNull() {
   public void getUserByRequestTokenRequestSuccessFullWhenProfileVideoNull() {
     User user = getDummyUser();
     UserDetails userDetails = getDummyUserDetails();
-    Mockito.doReturn(user).when(userService).getUserFromToken(Mockito.any());
+    Mockito.doReturn(user).when(userService).getUserFromTokenWithoutValidation(Mockito.any());
     userDetailsRepository.findByUser_id(user.getId());
     Mockito.when(userDetailsRepository.findByUser_id(Mockito.anyLong())).thenReturn(userDetails);
     Mockito.when(profileVideoRepository.findByUser_id(Mockito.anyLong())).thenReturn(null);