Skip to content

Commit 51d7170

Browse files
preetkaran20preetkaran20
committed
Incorporating review comments
1 parent 575db9c commit 51d7170

File tree

3 files changed

+15
-21
lines changed

3 files changed

+15
-21
lines changed

src/main/java/org/zaproxy/zap/extension/jwt/attacks/SignatureAttack.java

Lines changed: 8 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,7 @@
5353
import java.security.NoSuchAlgorithmException;
5454
import java.security.cert.Certificate;
5555
import java.security.cert.CertificateException;
56+
import java.text.MessageFormat;
5657
import java.text.ParseException;
5758
import java.util.Set;
5859
import org.apache.commons.lang3.StringUtils;
@@ -63,6 +64,7 @@
6364
import org.parosproxy.paros.core.scanner.Plugin.AttackStrength;
6465
import org.zaproxy.zap.extension.jwt.JWTConfiguration;
6566
import org.zaproxy.zap.extension.jwt.JWTHolder;
67+
import org.zaproxy.zap.extension.jwt.JWTI18n;
6668
import org.zaproxy.zap.extension.jwt.exception.JWTException;
6769
import org.zaproxy.zap.extension.jwt.utils.JWTConstants;
6870
import org.zaproxy.zap.extension.jwt.utils.JWTUtils;
@@ -128,16 +130,16 @@ private boolean executePubliclyWellKnownHMacSecretAttack() {
128130
VulnerabilityType.PUBLICLY_KNOWN_SECRETS,
129131
Alert.RISK_HIGH,
130132
Alert.CONFIDENCE_HIGH,
131-
"JWT token: "
132-
+ jwtHolder.getBase64EncodedToken()
133-
+ " is signed by: \""
134-
+ secret
135-
+ "\"",
133+
MessageFormat.format(
134+
JWTI18n.getMessage(
135+
"jwt.scanner.server.vulnerability.signatureAttack.publiclyKnownSecrets.param"),
136+
jwtHolder.getBase64EncodedToken(),
137+
secret),
136138
serverSideAttack);
137139
return true;
138140
}
139141
} catch (JWTException e) {
140-
LOGGER.error("An error occurred while getting signed manipulated tokens", e);
142+
LOGGER.warn("An error occurred while getting signed manipulated tokens", e);
141143
}
142144
}
143145
}

src/main/java/org/zaproxy/zap/extension/jwt/utils/JWTUtils.java

Lines changed: 4 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -309,27 +309,17 @@ public static boolean isValidJson(String value) {
309309
*/
310310
public static Set<String> readFileContentsFromResources(String fileName) {
311311
Set<String> values = new HashSet<>();
312-
BufferedReader bufferedReader = null;
313-
try {
314-
bufferedReader =
315-
new BufferedReader(
316-
new InputStreamReader(JWTUtils.class.getResourceAsStream(fileName)));
312+
try (BufferedReader bufferedReader =
313+
new BufferedReader(
314+
new InputStreamReader(JWTUtils.class.getResourceAsStream(fileName)))) {
317315
String inputLine;
318316
while ((inputLine = bufferedReader.readLine()) != null) {
319317
if (StringUtils.isNotBlank(inputLine)) {
320318
values.add(inputLine);
321319
}
322320
}
323321
} catch (Exception ex) {
324-
LOGGER.info("Unable to read publicly known secrets from: " + fileName, ex);
325-
} finally {
326-
if (bufferedReader != null) {
327-
try {
328-
bufferedReader.close();
329-
} catch (Exception ex) {
330-
LOGGER.debug("Unable to close bufferedReader", ex);
331-
}
332-
}
322+
LOGGER.warn("Unable to read publicly known secrets from: " + fileName, ex);
333323
}
334324
return values;
335325
}

src/main/resources/org/zaproxy/zap/extension/jwt/resources/Messages.properties

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -101,4 +101,6 @@ jwt.scanner.server.vulnerability.miscAttack.emptyTokens.soln=Tokens even if empt
101101

102102
# JWT scanner references and solutions
103103
jwt.scanner.refs=https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_Cheat_Sheet_for_Java.html
104-
jwt.scanner.soln=See reference for further information. The solution depends on implementation details
104+
jwt.scanner.soln=See reference for further information. The solution depends on implementation details
105+
106+
jwt.scanner.server.vulnerability.signatureAttack.publiclyKnownSecrets.param=JWT: {0} is signed by: \"{1}\"

0 commit comments

Comments
 (0)