Merge pull request #11 from SasanLabs/FuzzerChanges

Publicly well known secret checking attack.

Author: preetkaran20

CHANGELOG.md

@@ -3,8 +3,13 @@ All notable changes to this add-on will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
+## Unreleased
+
+### Added
+ - Support for validating usage of publicly well known HMac secrets for signing JWT.
+
 ## [1.0.0] - 2020-09-03
 
  - First version of JWT Support.
    - Contains scanning rules for basic JWT related vulnerabilities.
-   - Contains JWT Fuzzer for fuzzing the JWT's present in the request.
+   - Contains JWT Fuzzer for fuzzing the JWT's present in the request.

src/main/java/org/zaproxy/zap/extension/jwt/JWTConfiguration.java

@@ -19,8 +19,13 @@
  */
 package org.zaproxy.zap.extension.jwt;
 
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
 import org.apache.log4j.Logger;
 import org.zaproxy.zap.common.VersionedAbstractParam;
+import org.zaproxy.zap.extension.jwt.utils.JWTUtils;
 
 /**
  * This class holds configuration related to JWT scanner.
@@ -53,7 +58,32 @@ public class JWTConfiguration extends VersionedAbstractParam {
     private boolean enableClientConfigurationScan;
     private static volatile JWTConfiguration jwtConfiguration;
 
-    private JWTConfiguration() {}
+    /**
+     * Files containing publicly well known JWT HMac Secrets.
+     *
+     * <p>There are publicly available well known JWT HMac Secrets. Special thanks to <a href=
+     * "https://lab.wallarm.com/340-weak-jwt-secrets-you-should-check-in-your-code/">Wallarm.com</a>
+     * for collating the list of such weak secrets and making them open-source.
+     */
+    private static final List<String> FILE_NAMES_CONTAINING_PUBLICLY_KNOWN_HMAC_SECRETS =
+            Arrays.asList("/weakKeys/wallarm_jwt_hmac_secrets_list");
+
+    private Set<String> publiclyKnownHMacSecrets = new HashSet<>();
+
+    private JWTConfiguration() {
+        init();
+    }
+
+    private void init() {
+        FILE_NAMES_CONTAINING_PUBLICLY_KNOWN_HMAC_SECRETS.stream()
+                .forEach(
+                        (fileName) -> {
+                            Set<String> values = JWTUtils.readFileContentsFromResources(fileName);
+                            if (values != null && values.size() != 0) {
+                                publiclyKnownHMacSecrets.addAll(values);
+                            }
+                        });
+    }
 
     public static JWTConfiguration getInstance() {
         if (jwtConfiguration == null) {
@@ -130,4 +160,14 @@ protected void parseImpl() {
 
     @Override
     protected void updateConfigsImpl(int fileVersion) {}
+
+    /**
+     * There are publicly available well known JWT HMac Secrets. This API provides all those secrets
+     * and help in finding JWT's signed using these weak secrets.
+     *
+     * @return publicly known HMac Secrets
+     */
+    public Set<String> getPubliclyKnownHMacSecrets() {
+        return publiclyKnownHMacSecrets;
+    }
 }

src/main/java/org/zaproxy/zap/extension/jwt/attacks/SignatureAttack.java

@@ -53,15 +53,20 @@
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
+import java.text.MessageFormat;
 import java.text.ParseException;
+import java.util.Set;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.log4j.Logger;
 import org.json.JSONObject;
 import org.parosproxy.paros.Constant;
 import org.parosproxy.paros.core.scanner.Alert;
+import org.parosproxy.paros.core.scanner.Plugin.AttackStrength;
 import org.zaproxy.zap.extension.jwt.JWTConfiguration;
 import org.zaproxy.zap.extension.jwt.JWTHolder;
+import org.zaproxy.zap.extension.jwt.JWTI18n;
 import org.zaproxy.zap.extension.jwt.exception.JWTException;
+import org.zaproxy.zap.extension.jwt.utils.JWTConstants;
 import org.zaproxy.zap.extension.jwt.utils.JWTUtils;
 import org.zaproxy.zap.extension.jwt.utils.VulnerabilityType;
 
@@ -79,6 +84,71 @@ public class SignatureAttack implements JWTAttack {
             "jwt.scanner.server.vulnerability.signatureAttack.";
     private ServerSideAttack serverSideAttack;
 
+    /**
+     * There are publicly available well known JWT HMac Secrets and This attack checks if JWT is
+     * signed using weak well known secret.
+     *
+     * <p>Special thanks to <a href=
+     * "https://lab.wallarm.com/340-weak-jwt-secrets-you-should-check-in-your-code/">Wallarm.com</a>
+     * for collating the list of such weak secrets and making them opensource.
+     *
+     * <p>For knowing all the secrets please visit: <a href=
+     * "https://raw.githubusercontent.com/wallarm/jwt-secrets/master/jwt.secrets.list">Weak Publicly
+     * known HMac Secrets</a>
+     *
+     * @return {@code true} if found any publicly well known secret used to sign JWT else {@code
+     *     false}
+     */
+    private boolean executePubliclyWellKnownHMacSecretAttack() {
+        // will only run for high or insane strength
+        if (serverSideAttack.getJwtActiveScanRule().getAttackStrength().equals(AttackStrength.LOW)
+                || serverSideAttack
+                        .getJwtActiveScanRule()
+                        .getAttackStrength()
+                        .equals(AttackStrength.MEDIUM)) {
+            return false;
+        }
+        Set<String> secrets = JWTConfiguration.getInstance().getPubliclyKnownHMacSecrets();
+        // Checks if HMac is the actual algorithm for the JWT
+        if (JWTConstants.JWT_HMAC_ALGO_TO_JAVA_ALGORITHM_MAPPING.containsKey(
+                serverSideAttack.getJwtHolder().getAlgorithm())) {
+            for (String secret : secrets) {
+                if (serverSideAttack.getJwtActiveScanRule().isStop()) {
+                    return false;
+                }
+                JWTHolder jwtHolder = serverSideAttack.getJwtHolder();
+                try {
+                    String tokenSignedWithWeakSecret =
+                            JWTUtils.getBase64EncodedHMACSignedToken(
+                                    JWTUtils.getBytes(
+                                            jwtHolder.getBase64EncodedTokenWithoutSignature()),
+                                    JWTUtils.getBytes(secret),
+                                    jwtHolder.getAlgorithm());
+                    if (tokenSignedWithWeakSecret.equals(jwtHolder.getBase64EncodedToken())) {
+                        this.raiseAlert(
+                                MESSAGE_PREFIX,
+                                VulnerabilityType.PUBLICLY_KNOWN_SECRETS,
+                                Alert.RISK_HIGH,
+                                Alert.CONFIDENCE_HIGH,
+                                MessageFormat.format(
+                                        JWTI18n.getMessage(
+                                                MESSAGE_PREFIX
+                                                        + VulnerabilityType.PUBLICLY_KNOWN_SECRETS
+                                                                .getMessageKey()
+                                                        + ".param"),
+                                        jwtHolder.getBase64EncodedToken(),
+                                        secret),
+                                serverSideAttack);
+                        return true;
+                    }
+                } catch (JWTException e) {
+                    LOGGER.warn("An error occurred while getting signed manipulated tokens", e);
+                }
+            }
+        }
+        return false;
+    }
+
     /**
      * Adds Null Byte to the signature to checks if JWT is vulnerable to Null Byte injection. Main
      * gist of attack is say validator is vulnerable to null byte hence if anything is appended
@@ -297,7 +367,8 @@ public boolean executeAttack(ServerSideAttack serverSideAttack) {
         try {
             return this.executeCustomPrivateKeySignedJWTTokenAttack()
                     || this.executeAlgoKeyConfusionAttack()
-                    || this.executeNullByteAttack();
+                    || this.executeNullByteAttack()
+                    || this.executePubliclyWellKnownHMacSecretAttack();
         } catch (JWTException e) {
             LOGGER.error("An error occurred while getting signed manipulated tokens", e);
         }

src/main/java/org/zaproxy/zap/extension/jwt/utils/JWTUtils.java

@@ -31,8 +31,10 @@
 import com.nimbusds.jose.JWSHeader;
 import com.nimbusds.jose.crypto.RSASSASigner;
 import com.nimbusds.jose.util.Base64URL;
+import java.io.BufferedReader;
 import java.io.File;
 import java.io.IOException;
+import java.io.InputStreamReader;
 import java.nio.ByteBuffer;
 import java.nio.CharBuffer;
 import java.nio.charset.StandardCharsets;
@@ -45,11 +47,15 @@
 import java.security.spec.PKCS8EncodedKeySpec;
 import java.text.ParseException;
 import java.util.Base64;
+import java.util.HashSet;
 import java.util.Objects;
+import java.util.Set;
 import java.util.regex.Pattern;
 import javax.crypto.Mac;
 import javax.crypto.spec.SecretKeySpec;
 import org.apache.commons.io.FileUtils;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.log4j.Logger;
 import org.json.JSONException;
 import org.json.JSONObject;
 import org.zaproxy.zap.extension.dynssl.SslCertificateUtils;
@@ -64,6 +70,8 @@
  */
 public class JWTUtils {
 
+    private static final Logger LOGGER = Logger.getLogger(JWTUtils.class);
+
     /**
      * Converts string to bytes. This method assumes that token is in UTF-8 charset which is as per
      * the JWT specifications.
@@ -291,4 +299,28 @@ public static boolean isValidJson(String value) {
         }
         return true;
     }
+
+    /**
+     * Generic utility to read contents from the file and returning the provided content as list of
+     * Strings.
+     *
+     * @param fileName
+     * @return content from file as list of strings
+     */
+    public static Set<String> readFileContentsFromResources(String fileName) {
+        Set<String> values = new HashSet<>();
+        try (BufferedReader bufferedReader =
+                new BufferedReader(
+                        new InputStreamReader(JWTUtils.class.getResourceAsStream(fileName)))) {
+            String inputLine;
+            while ((inputLine = bufferedReader.readLine()) != null) {
+                if (StringUtils.isNotBlank(inputLine)) {
+                    values.add(inputLine);
+                }
+            }
+        } catch (Exception ex) {
+            LOGGER.warn("Unable to read publicly known secrets from: " + fileName, ex);
+        }
+        return values;
+    }
 }

src/main/java/org/zaproxy/zap/extension/jwt/utils/VulnerabilityType.java

@@ -30,6 +30,7 @@ public enum VulnerabilityType {
     EMPTY_TOKENS("emptyTokens"),
     JWK_CUSTOM_KEY("jwkCustomKey"),
     ALGORITHM_CONFUSION("algorithmConfusion"),
+    PUBLICLY_KNOWN_SECRETS("publiclyKnownSecrets"),
     // JWT token client side storage related vulnerability type
     SECURE_COOKIE("cookiesecureflag"),
     HTTPONLY_COOKIE("cookiehttponly"),

src/main/resources/org/zaproxy/zap/extension/jwt/resources/Messages.properties

@@ -84,6 +84,12 @@ jwt.scanner.server.vulnerability.signatureAttack.jwkCustomKey.desc=JWT library i
 jwt.scanner.server.vulnerability.signatureAttack.jwkCustomKey.refs=https://nvd.nist.gov/vuln/detail/CVE-2018-0114
 jwt.scanner.server.vulnerability.signatureAttack.jwkCustomKey.soln=Validating Library should not depend on user provided input
 
+jwt.scanner.server.vulnerability.signatureAttack.publiclyKnownSecrets.name=Publicly Well Known HMac Secret Attack
+jwt.scanner.server.vulnerability.signatureAttack.publiclyKnownSecrets.desc=JSON web tokens signed using HMac algorithm requires secret key and there are publicly well known secret keys which should not be used for signing the JSON web token as it can cause various attacks like identity theft, user impersonation etc. 
+jwt.scanner.server.vulnerability.signatureAttack.publiclyKnownSecrets.refs=https://lab.wallarm.com/340-weak-jwt-secrets-you-should-check-in-your-code
+jwt.scanner.server.vulnerability.signatureAttack.publiclyKnownSecrets.soln=Secret keys used for signing should not be publicly well known or easy to guess. 
+jwt.scanner.server.vulnerability.signatureAttack.publiclyKnownSecrets.param=JWT: \"{0}\" is signed by: \"{1}\"
+
 jwt.scanner.server.vulnerability.payloadAttack.nullByte.name=Null Byte Injection Attack
 jwt.scanner.server.vulnerability.payloadAttack.nullByte.desc=Payload bytes after null byte are ignored ie not included in validation of JWT hence JWT validator is vulnerable to null byte injection
 jwt.scanner.server.vulnerability.payloadAttack.nullByte.refs=http://projects.webappsec.org/w/page/13246949/Null%20Byte%20Injection