owasp-zap-jwt-addon icon indicating copy to clipboard operation
owasp-zap-jwt-addon copied to clipboard

Published 20 hours ago verified publisher icon SasanLabs

Adding Attack vector for finding vulnerabilities related to JWE

Open preetkaran20 opened this issue 4 years ago • 3 comments

Is your feature request related to a problem? Please describe.

We have currently only handing JWS but we have not handled JWE so under this enhancement we are looking to add:

  1. Analysing Vulnerabilities related to JWE by going through various blogs, bug bounties, other scanner add-on's
  2. Implement the Attack vectors
  3. Adding the Vulnerable code in https://github.com/SasanLabs/VulnerableApp/blob/master/src/main/java/org/sasanlabs/service/vulnerability/jwt/JWTVulnerability.java so that we can test the attack vectors.
  4. Add a design document regarding the same.

Code References Attack vectors: https://github.com/SasanLabs/owasp-zap-jwt-addon/tree/master/src/main/java/org/zaproxy/zap/extension/jwt/attacks Adding Support for parsing JWE: https://github.com/SasanLabs/owasp-zap-jwt-addon/blob/ec58672c0951a23cf4544fd0e41b72eb9328a78d/src/main/java/org/zaproxy/zap/extension/jwt/utils/JWTUtils.java#L139 Fuzzer code: https://github.com/SasanLabs/owasp-zap-jwt-addon/blob/master/src/main/java/org/zaproxy/zap/extension/jwt/fuzzer/ui/JWTFuzzPanelView.java Scan Rule code: https://github.com/SasanLabs/owasp-zap-jwt-addon/blob/master/src/main/java/org/zaproxy/zap/extension/jwt/JWTActiveScanRule.java

Testing the changes build the addon by running

  1. ./gradlew spotlessApply
  2. ./gradlew build Then go to the ZAP -> File -> Local addon file -> Navigate to project -> build -> bin -> jwt*.zap and done.

preetkaran20 avatar Oct 07 '20 14:10 preetkaran20

This seems like a good summary:

A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.

https://medium.facilelogin.com/jwt-jws-and-jwe-for-not-so-dummies-b63310d201a3

kingthorin avatar Oct 07 '20 14:10 kingthorin

https://auth0.com/blog/critical-vulnerability-in-json-web-encryption/ -> Attack against JWE

preetkaran20 avatar Nov 07 '20 07:11 preetkaran20

document: https://owasp.slack.com/archives/C0F7D6DFH/p1692972988225639?thread_ts=1692958820.853539&cid=C0F7D6DFH which can help

Content:

there were a couple of talks at OWASP events mentioning JWE, but as it is a pure Encryption standard I do not see much
resources about it in OWASP apart from the general guidelines in safe use in JWT. In terms of vulnerabilities in JWE.
I have found this article in
 Auth0 blog talking about a critical vulnerability in JWE: https://auth0.com/blog/critical-vulnerability-in-json-web-encryption/  and a  few more  
JWE Security Considerations were listed here: https://www.jbspeakr.cc/jwe-token-json-web-encryption/

preetkaran20 avatar Aug 25 '23 20:08 preetkaran20