Merge pull request #71 from cerberauth/jwt-hmac-weak-secret

feat: perform dictionnary attack against jwt with hmac alg

Author: emmanuelgautier

README.md

@@ -83,7 +83,7 @@ In this example, each line represents a detected vulnerability, severity level (
 The scanner is capable of detecting the following vulnerabilities:
 * JWT `none` algorithm accepted
 * JWT not verified
-* JWT weak secret used
+* JWT blank or weak secret used with HMAC algorithm
 * JWT null signature accepted
 
 The scanner also detects the following security best practices:

jwt/hmac_alg.go

@@ -0,0 +1,8 @@
+package jwt
+
+import jwtlib "github.com/golang-jwt/jwt/v5"
+
+func (j *JWTWriter) IsHMACAlg() bool {
+	_, ok := j.Token.Method.(*jwtlib.SigningMethodHMAC)
+	return ok
+}

jwt/hmac_alg_test.go

@@ -0,0 +1,34 @@
+package jwt_test
+
+import (
+	"testing"
+
+	"github.com/cerberauth/vulnapi/jwt"
+	jwtlib "github.com/golang-jwt/jwt/v5"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestIsHMACAlgWithHS256(t *testing.T) {
+	token := jwtlib.New(jwtlib.SigningMethodHS256)
+	tokenString, _ := token.SignedString([]byte(""))
+	jwtWriter, err := jwt.NewJWTWriter(tokenString)
+
+	assert.NoError(t, err)
+	assert.True(t, jwtWriter.IsHMACAlg())
+}
+
+func TestIsHMACAlgWithRSA(t *testing.T) {
+	privateKeyData := []byte(`
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIKwkZA+Y19xPuGLCkk+JkrTnCo5bQvJcf0MdC73xg473
+-----END PRIVATE KEY-----
+`)
+
+	key, _ := jwtlib.ParseEdPrivateKeyFromPEM(privateKeyData)
+	token := jwtlib.New(jwtlib.SigningMethodEdDSA)
+	tokenString, _ := token.SignedString(key)
+	jwtWriter, err := jwt.NewJWTWriter(tokenString)
+
+	assert.NoError(t, err)
+	assert.False(t, jwtWriter.IsHMACAlg())
+}

scan/jwt/weak_secret.go

@@ -6,6 +6,7 @@ import (
 	"github.com/cerberauth/vulnapi/internal/scan"
 	"github.com/cerberauth/vulnapi/jwt"
 	"github.com/cerberauth/vulnapi/report"
+	"github.com/cerberauth/vulnapi/seclist"
 )
 
 const (
@@ -14,6 +15,10 @@ const (
 	WeakSecretVulnerabilityDescription   = "JWT secret is weak and can be easily guessed."
 )
 
+var defaultJwtSecretDictionary = []string{"secret", "password", "123456", "changeme", "admin", "token"}
+
+const jwtSecretDictionarySeclistUrl = "https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/scraped-JWT-secrets.txt"
+
 func BlankSecretScanHandler(operation *request.Operation, ss auth.SecurityScheme) (*report.ScanReport, error) {
 	r := report.NewScanReport()
 	if !ShouldBeScanned(ss) {
@@ -44,10 +49,49 @@ func BlankSecretScanHandler(operation *request.Operation, ss auth.SecurityScheme
 	return r, nil
 }
 
-func DictSecretScanHandler(o *request.Operation, ss auth.SecurityScheme) (*report.ScanReport, error) {
+func WeakHMACSecretScanHandler(o *request.Operation, ss auth.SecurityScheme) (*report.ScanReport, error) {
 	r := report.NewScanReport()
+	if !ShouldBeScanned(ss) {
+		return r, nil
+	}
 
-	// TODO: Use a dictionary attack to try finding the secret
+	valueWriter := ss.GetValidValueWriter().(*jwt.JWTWriter)
+	if !valueWriter.IsHMACAlg() {
+		return r, nil
+	}
+
+	jwtSecretDictionary := defaultJwtSecretDictionary
+	if secretDictionnaryFromSeclist, err := seclist.NewSecListFromURL("JWT Secrets Dictionnary", jwtSecretDictionarySeclistUrl); err == nil {
+		jwtSecretDictionary = secretDictionnaryFromSeclist.Items
+	}
+
+	for _, secret := range jwtSecretDictionary {
+		newToken, err := valueWriter.SignWithKey([]byte(secret))
+		if err != nil {
+			return r, nil
+		}
+
+		if newToken != valueWriter.Token.Raw {
+			continue
+		}
+
+		ss.SetAttackValue(newToken)
+		vsa, err := scan.ScanURL(o, &ss)
+		r.AddScanAttempt(vsa)
+		if err != nil {
+			return r, err
+		}
+
+		if err := scan.DetectNotExpectedResponse(vsa.Response); err != nil {
+			r.AddVulnerabilityReport(&report.VulnerabilityReport{
+				SeverityLevel: WeakSecretVulnerabilitySeverityLevel,
+				Name:          WeakSecretVulnerabilityName,
+				Description:   WeakSecretVulnerabilityDescription,
+				Operation:     o,
+			})
+			break
+		}
+	}
 
 	r.End()
 

scan/jwt/weak_secret_test.go

@@ -11,14 +11,9 @@ import (
 )
 
 func TestBlankSecretScanHandlerWithoutJwt(t *testing.T) {
-	httpmock.Activate()
-	defer httpmock.DeactivateAndReset()
-
 	securityScheme := auth.NewNoAuthSecurityScheme()
 	operation := request.NewOperation("http://localhost:8080/", "GET", nil, nil, nil)
 
-	httpmock.RegisterResponder(operation.Method, operation.Request.URL.String(), httpmock.NewBytesResponder(405, nil))
-
 	report, err := jwt.BlankSecretScanHandler(operation, securityScheme)
 
 	assert.NoError(t, err)
@@ -42,3 +37,60 @@ func TestBlankSecretScanHandler(t *testing.T) {
 	assert.Equal(t, 1, httpmock.GetTotalCallCount())
 	assert.False(t, report.HasVulnerabilityReport())
 }
+
+func TestWeakHMACSecretScanHandlerWithoutJwt(t *testing.T) {
+	securityScheme := auth.NewNoAuthSecurityScheme()
+	operation := request.NewOperation("http://localhost:8080/", "GET", nil, nil, nil)
+
+	report, err := jwt.WeakHMACSecretScanHandler(operation, securityScheme)
+
+	assert.NoError(t, err)
+	assert.Equal(t, 0, httpmock.GetTotalCallCount())
+	assert.False(t, report.HasVulnerabilityReport())
+}
+
+func TestWeakHMACSecretScanHandlerWithJWTUsingOtherAlg(t *testing.T) {
+	token := "eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhYmMxMjMifQ.vLBmArLmAKEshqJa3px6qYfrkAfiwBrKPs5dCMxqj9bdiEKR5W4o0Srxt6VHZKzsxIGMTTsqpW21lKnYsLw5DA"
+	securityScheme := auth.NewAuthorizationBearerSecurityScheme("token", &token)
+	operation := request.NewOperation("http://localhost:8080/", "GET", nil, nil, nil)
+
+	report, err := jwt.WeakHMACSecretScanHandler(operation, securityScheme)
+
+	assert.NoError(t, err)
+	assert.Equal(t, 0, httpmock.GetTotalCallCount())
+	assert.False(t, report.HasVulnerabilityReport())
+}
+
+func TestWeakHMACSecretScanHandlerWithWeakJWT(t *testing.T) {
+	httpmock.Activate()
+	defer httpmock.DeactivateAndReset()
+
+	token := "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e30.t-IDcSemACt8x4iTMCda8Yhe3iZaWbvV5XKSTbuAn0M"
+	securityScheme := auth.NewAuthorizationBearerSecurityScheme("token", &token)
+	operation := request.NewOperation("http://localhost:8080/", "GET", nil, nil, nil)
+
+	httpmock.RegisterResponder(operation.Method, operation.Request.URL.String(), httpmock.NewBytesResponder(104, nil))
+
+	report, err := jwt.WeakHMACSecretScanHandler(operation, securityScheme)
+
+	assert.NoError(t, err)
+	assert.Equal(t, 1, httpmock.GetTotalCallCount())
+	assert.True(t, report.HasVulnerabilityReport())
+}
+
+func TestWeakHMACSecretScanHandlerWithStrongerJWT(t *testing.T) {
+	httpmock.Activate()
+	defer httpmock.DeactivateAndReset()
+
+	token := "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e30.MWUarT7Q4e5DqnZbdr7VKw3rx9VW-CrvoVkfpllS4CY"
+	securityScheme := auth.NewAuthorizationBearerSecurityScheme("token", &token)
+	operation := request.NewOperation("http://localhost:8080/", "GET", nil, nil, nil)
+
+	httpmock.RegisterResponder(operation.Method, operation.Request.URL.String(), httpmock.NewBytesResponder(104, nil))
+
+	report, err := jwt.WeakHMACSecretScanHandler(operation, securityScheme)
+
+	assert.NoError(t, err)
+	assert.Equal(t, 0, httpmock.GetTotalCallCount())
+	assert.False(t, report.HasVulnerabilityReport())
+}

scan/vulns.go

@@ -15,7 +15,7 @@ func (s *Scan) WithJWTNullSignatureScan() *Scan {
 }
 
 func (s *Scan) WithWeakJwtSecretScan() *Scan {
-	return s.AddOperationScanHandler(jwt.BlankSecretScanHandler).AddOperationScanHandler(jwt.DictSecretScanHandler)
+	return s.AddOperationScanHandler(jwt.BlankSecretScanHandler).AddOperationScanHandler(jwt.WeakHMACSecretScanHandler)
 }
 
 func (s *Scan) WithAllVulnsScans() *Scan {