Fix: Refactor JWT Level 13 to use cookie-based flow and vulnerable JWK verification (#499)

* Fix: Refactor JWT Level 13 to use cookie-based flow and vulnerable JWK verification

* Fix: Handle UnsupportedEncodingException in Level 13

* Fix: Remove unused imports to satisfy spotlessJavaCheck

* Fix: Remove unused SignedJWT import

* Fix: Update Level 13 HTML structure to match project theme

* Fix: Update Level 13 CSS to match project theme

Author: subhamkumarr

src/main/java/org/sasanlabs/service/vulnerability/jwt/JWTVulnerability.java

@@ -2,11 +2,6 @@
 
 import static org.sasanlabs.service.vulnerability.jwt.bean.JWTUtils.GENERIC_BASE64_ENCODED_PAYLOAD;
 
-import com.nimbusds.jose.JWSVerifier;
-import com.nimbusds.jose.crypto.RSASSAVerifier;
-import com.nimbusds.jose.jwk.JWK;
-import com.nimbusds.jose.jwk.RSAKey;
-import com.nimbusds.jwt.SignedJWT;
 import java.io.UnsupportedEncodingException;
 import java.security.KeyPair;
 import java.security.interfaces.RSAPrivateKey;
@@ -16,7 +11,6 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
-import javax.servlet.http.HttpServletRequest;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.sasanlabs.internal.utility.LevelConstants;
@@ -676,43 +670,42 @@ private ResponseEntity<GenericVulnerabilityResponseBean<String>> getJWTResponseB
             value = LevelConstants.LEVEL_13,
             htmlTemplate = "LEVEL_13/HeaderInjection_Level13")
     public ResponseEntity<GenericVulnerabilityResponseBean<String>> getHeaderInjectionVulnerability(
-            HttpServletRequest request) {
-        String jwtToken = request.getHeader("Authorization");
-        if (jwtToken == null || !jwtToken.startsWith(JWTUtils.BEARER_PREFIX)) {
-            return new ResponseEntity<>(
-                    new GenericVulnerabilityResponseBean<>("No JWT token provided", true),
-                    HttpStatus.BAD_REQUEST);
-        }
-
-        jwtToken = jwtToken.replaceFirst("^" + JWTUtils.BEARER_PREFIX, "").trim();
-
-        try {
-            SignedJWT signedJWT = SignedJWT.parse(jwtToken);
-
-            String jwkHeader = (String) signedJWT.getHeader().toJSONObject().get("jwk");
-
-            if (jwkHeader != null) {
-                JWK jwk = JWK.parse(jwkHeader);
-                RSAKey rsaKey = (RSAKey) jwk;
-                RSAPublicKey publicKey = rsaKey.toRSAPublicKey();
-
-                JWSVerifier verifier = new RSASSAVerifier(publicKey);
-                if (signedJWT.verify(verifier)) {
-                    return new ResponseEntity<>(
-                            new GenericVulnerabilityResponseBean<>(
-                                    "JWK Header Injection Exploited!", false),
-                            HttpStatus.OK);
+            RequestEntity<Void> requestEntity, @RequestParam Map<String, String> queryParams)
+            throws ServiceApplicationException, UnsupportedEncodingException {
+        Optional<KeyPair> asymmetricAlgorithmKeyPair =
+                jwtAlgorithmKMS.getAsymmetricAlgorithmKey("RS256");
+        LOGGER.info(
+                asymmetricAlgorithmKeyPair.isPresent() + " " + asymmetricAlgorithmKeyPair.get());
+        List<String> tokens = requestEntity.getHeaders().get("cookie");
+        boolean isFetch = Boolean.valueOf(queryParams.get("fetch"));
+        if (!isFetch) {
+            for (String token : tokens) {
+                String[] cookieKeyValue = token.split(JWTUtils.BASE64_PADDING_CHARACTER_REGEX);
+                if (cookieKeyValue[0].equals(JWT)) {
+                    boolean isValid =
+                            jwtValidator.jwkKeyHeaderPublicKeyTrustingVulnerableValidator(
+                                    cookieKeyValue[1]);
+                    Map<String, List<String>> headers = new HashMap<>();
+                    headers.put("Set-Cookie", Arrays.asList(token + "; httponly"));
+                    ResponseEntity<GenericVulnerabilityResponseBean<String>> responseEntity =
+                            this.getJWTResponseBean(
+                                    isValid,
+                                    token,
+                                    !isValid,
+                                    CollectionUtils.toMultiValueMap(headers));
+                    return responseEntity;
                 }
             }
-
-        } catch (Exception e) {
-            return new ResponseEntity<>(
-                    new GenericVulnerabilityResponseBean<>("Invalid JWT", true),
-                    HttpStatus.BAD_REQUEST);
         }
-
-        return new ResponseEntity<>(
-                new GenericVulnerabilityResponseBean<>("Safe header", true), HttpStatus.OK);
+        String token =
+                libBasedJWTGenerator.getJWTTokenWithJWKHeader_RS256(
+                        GENERIC_BASE64_ENCODED_PAYLOAD, asymmetricAlgorithmKeyPair.get());
+        Map<String, List<String>> headers = new HashMap<>();
+        headers.put("Set-Cookie", Arrays.asList(JWT_COOKIE_KEY + token + "; httponly"));
+        ResponseEntity<GenericVulnerabilityResponseBean<String>> responseEntity =
+                this.getJWTResponseBean(
+                        true, token, true, CollectionUtils.toMultiValueMap(headers));
+        return responseEntity;
     }
 
     // Very weak HMAC key vulnerability - using extremely short key

src/main/resources/static/templates/JWTVulnerability/LEVEL_13/HeaderInjection_Level13.css

@@ -3,27 +3,43 @@
     text-align: justify;
 }
 
-#enterHeader {
+#description {
     font-size: 15px;
-    display: flex;
+    visibility: hidden;
     margin: 10px;
-    flex-direction: column;
 }
 
-#headerName, #headerValue {
-    flex: 1;
-    word-wrap: break-word;
-    margin-top: 10px;
+#Note {
+    font-size: 15px;
+    margin: 10px;
 }
 
-#headerResponse {
+#verificationResponse {
     font-size: 15px;
+    margin: 10px;
     word-wrap: break-word;
     text-align: center;
+}
+
+#jwt {
+    font-weight: normal;
+    word-wrap: break-word;
+    margin-top: 10px;
+}
+
+#fetchTokenButton {
+    background: blueviolet;
+    display: inline-block;
+    padding: 8px 8px;
     margin: 10px;
+    border: 2px solid transparent;
+    border-radius: 3px;
+    transition: 0.2s opacity;
+    color: #FFF;
+    font-size: 12px;
 }
 
-#sendHeader {
+#verifyToken {
     background: blueviolet;
     display: inline-block;
     padding: 4px 4px;

src/main/resources/static/templates/JWTVulnerability/LEVEL_13/HeaderInjection_Level13.html

@@ -1,22 +1,14 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-    <meta charset="UTF-8">
-    <title>Header Injection</title>
-</head>
-<body>
 <div id="header_injection_level_13">
-    <div>
-        <div id="enterHeader">
-            <div>Header Name:</div>
-            <input type="text" id="headerName" placeholder="Enter header name" />
-            <div>Header Value:</div>
-            <input type="text" id="headerValue" placeholder="Enter header value" />
-        </div>
-        <button id="sendHeader">Send Header</button>
-        <div id="headerResponse"></div>
+    <div id="fetchToken">
+        <button id="fetchTokenButton">Click here to fetch the JWT token</button>
     </div>
-</div>
-
-</body>
-</html>
+    <div id="description">
+        <div>JWT:</div>
+        <div id="jwt"></div>
+    </div>
+    <button id="verifyToken">Verify</button>
+    <div id="verificationResponse"></div>
+    <div id="Note">
+        Note: Please clear the cookies from browser.
+    </div>
+</div>

src/main/resources/static/templates/JWTVulnerability/LEVEL_13/HeaderInjection_Level13.js

@@ -1,27 +1,32 @@
-function addEventListenerToSendHeaderButton() {
-  document.getElementById("sendHeader").addEventListener("click", function () {
-    const headerName = document.getElementById("headerName").value;
-    const headerValue = document.getElementById("headerValue").value;
+function addingEventListenerToFetchTokenButton() {
+  document
+    .getElementById("fetchTokenButton")
+    .addEventListener("click", function () {
+      let url = getUrlForVulnerabilityLevel();
+      url = url + "?fetch=true";
+      doGetAjaxCall(fetchTokenCallBack, url, true);
+    });
+}
+addingEventListenerToFetchTokenButton();
 
+function addingEventListenerToVerifyToken() {
+  document.getElementById("verifyToken").addEventListener("click", function () {
     let url = getUrlForVulnerabilityLevel();
-
-    const manipulatedJwt =
-      "eyJhbGciOiJSUzI1NiIsImtpZCI6Im1hbGljaW91cy1rZXktaWQifQ.eyJzdWIiOiJleGFtcGxldXNlciIsIm5hbWUiOiJKV1QgVXNlciIsImlhdCI6MTYwOTAxMjAwMH0.c7qHUq1HbHj8AWjKbcIYH2NZnE6PtNyXTnJTWZELvFbfbFhc5BQ_w8e24fXL2OzhhOT5qHVzFvHgOeEYFLZNGEDlJhF4o76yHsMJdWQFL4I5uZjG0o8XV0HjDdM7GqEmx2j0JHi6vJ8Q3pIqGzUBmb7bgzD4kENnP-UqfkbNl2ykYZ9Nybw_E7CAV4OxuqE4QyIpZV2VttWjefK3c6TIj9hNWvYYgipKwHFLXbOV-rOZ6K-_H_4D-kbr0LKPPX-s4b11o0wtS3y1FiHDXEvsmEjhRApEc_jk5uZY-AGPUc9Nl9t6iT_Nh1Q8Usz-jZifg03NwumJjDNtz-nS7gzg";
-
-    doGetAjaxCall(
-      function (data) {
-        document.getElementById("headerResponse").innerHTML = data.isValid
-          ? "Header Injection was successful!"
-          : "Header Injection failed. Please try again.";
-      },
-      url,
-      true,
-      {
-        [headerName]: headerValue,
-        Authorization: `Bearer ${manipulatedJwt}`,
-      }
-    );
+    doGetAjaxCall(updateUIWithVerifyResponse, url, true);
   });
 }
+addingEventListenerToVerifyToken();
 
-addEventListenerToSendHeaderButton();
+function updateUIWithVerifyResponse(data) {
+  if (data.isValid) {
+    document.getElementById("verificationResponse").innerHTML = "JWT is valid";
+  } else {
+    document.getElementById("verificationResponse").innerHTML =
+      "JWT: " + data.content + " is not valid. Please try again";
+  }
+}
+
+function fetchTokenCallBack(data) {
+  document.getElementById("jwt").innerHTML = data.content;
+  document.getElementById("description").style.visibility = "visible";
+}