Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding more vulnerable levels to JWT Vulnerability #413

Open
preetkaran20 opened this issue Oct 1, 2022 · 6 comments
Open

Adding more vulnerable levels to JWT Vulnerability #413

preetkaran20 opened this issue Oct 1, 2022 · 6 comments
Assignees
@leiberbertel
Labels
enhancement New feature or request good first issue Good for newcomers HacktoberFest

Comments

@preetkaran20
Copy link
Member

Is your feature request related to a problem? Please describe.
We have many levels under JWT Vulnerability https://github.com/SasanLabs/VulnerableApp/blob/master/src/main/java/org/sasanlabs/service/vulnerability/jwt/JWTVulnerability.java but there are few attack vectors which are missing like Header Param injections as described at: https://portswigger.net/web-security/jwt.

There may be few others missing so the task is to include the missing Vulnerabilities.
@preetkaran20 preetkaran20 added enhancement New feature or request good first issue Good for newcomers hacktoberfest labels Oct 1, 2022
@ehizman
Copy link
Contributor

ehizman commented Apr 15, 2023

Working on this Karan.

@leiberbertel
Copy link

Hi team!

I've been reviewing the work you've done with the JWT vulnerabilities in JWTVulnerability.java and would love to help expand it. I've noticed that some vulnerabilities, such as header parameter injections, are not yet covered. I have some ideas on how we can address this and other attack vectors that might be missing.

Could I collaborate with you on this? I'm ready to start working as soon as I get the go-ahead.

Thanks and I look forward to contributing!

@preetkaran20
Copy link
Member Author

@leiberbertel Thanks a lot for going through the codebase. Yeah sure. I have assigned the ticket to you.

Thanks,
Karan

@leiberbertel
Copy link

Hi Karan!
Thank you so much for assigning me the ticket. I'm really excited to start working on this and contribute to the improvement of JWT vulnerabilities.

I'll start reviewing everything in detail and will keep you posted on my progress. If there is anything specific you need to discuss or any additional details, feel free to let me know.

I really appreciate this opportunity!

Greetings,
Leiber

@leiberbertel leiberbertel mentioned this issue Aug 19, 2024
Open
@leiberbertel
Copy link

Hi Karan,

I've linked the issue to the pull request I just created, but it looks like I didn't have the option to assign it to you directly. could you take a look at it when you have a moment, thanks in advance!

Regards,

@leiberbertel
Copy link

Hi Karan,

I have made the adjustments you suggested in the issue related to the JWT vulnerability. Now the implementation includes the injection of specific headers such as JWK, KID, and JKU. I have configured the logic to have the system validate the JWT using the provided JWK header and performed tests using a manipulated JWT token to confirm that the vulnerability is being handled as expected.

I would like you to review the changes to make sure they serve the purpose you mentioned. I look forward to your comments.

Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@leiberbertel leiberbertel

Labels
enhancement New feature or request good first issue Good for newcomers HacktoberFest
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@preetkaran20 @ehizman @leiberbertel