Merge pull request #69 from cerberauth/fix-jwt-not-verified

fix: report when jwt is not verified
cerberauth · Mar 22, 2024 · 11b6b6d · 11b6b6d
2 parents c291431 + a30b11b
commit 11b6b6d
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 10 deletions.
diff --git a/scan/jwt/not_verified.go b/scan/jwt/not_verified.go
@@ -22,24 +22,23 @@ func NotVerifiedScanHandler(operation *request.Operation, ss auth.SecurityScheme
 	}
 
 	valueWriter := ss.GetValidValueWriter().(*jwt.JWTWriter)
-	newTokenA, err := valueWriter.SignWithMethodAndKey(jwtlib.SigningMethodHS256, []byte("a"))
-	if err != nil {
-		return r, err
+	method := jwtlib.SigningMethodHS256
+	if valueWriter.Token.Method == method {
+		method = jwtlib.SigningMethodHS384
 	}
-
-	newTokenB, err := valueWriter.SignWithMethodAndKey(jwtlib.SigningMethodHS256, []byte("b"))
+	newToken, err := valueWriter.SignWithMethodAndKey(method, []byte("a"))
 	if err != nil {
 		return r, err
 	}
 
-	ss.SetAttackValue(newTokenA)
+	ss.SetAttackValue(ss.GetValidValue())
 	vsa1, err := scan.ScanURL(operation, &ss)
 	if err != nil {
 		return r, err
 	}
 	r.AddScanAttempt(vsa1)
 
-	ss.SetAttackValue(newTokenB)
+	ss.SetAttackValue(newToken)
 	vsa2, err := scan.ScanURL(operation, &ss)
 	if err != nil {
 		return r, err
@@ -48,7 +47,7 @@ func NotVerifiedScanHandler(operation *request.Operation, ss auth.SecurityScheme
 	r.AddScanAttempt(vsa2)
 	r.End()
 
-	if vsa1.Response.StatusCode != vsa2.Response.StatusCode {
+	if vsa1.Response.StatusCode == vsa2.Response.StatusCode {
 		r.AddVulnerabilityReport(&report.VulnerabilityReport{
 			SeverityLevel: NotVerifiedVulnerabilitySeverityLevel,
 			Name:          NotVerifiedVulnerabilityName,

diff --git a/scan/jwt/not_verified_test.go b/scan/jwt/not_verified_test.go
@@ -1,6 +1,7 @@
 package jwt_test
 
 import (
+	"net/http"
 	"testing"
 
 	"github.com/cerberauth/vulnapi/internal/auth"
@@ -34,11 +35,36 @@ func TestNotVerifiedScanHandler(t *testing.T) {
 	securityScheme := auth.NewAuthorizationBearerSecurityScheme("token", &token)
 	operation := request.NewOperation("http://localhost:8080/", "GET", nil, nil, nil)
 
-	httpmock.RegisterResponder(operation.Method, operation.Request.URL.String(), httpmock.NewBytesResponder(401, nil))
-
+	httpmock.RegisterResponder(operation.Method, operation.Request.URL.String(), httpmock.ResponderFromMultipleResponses(
+		[]*http.Response{
+			httpmock.NewBytesResponse(200, nil),
+			httpmock.NewBytesResponse(401, nil),
+		}, t.Log),
+	)
 	report, err := jwt.NotVerifiedScanHandler(operation, securityScheme)
 
 	assert.NoError(t, err)
 	assert.Equal(t, 2, httpmock.GetTotalCallCount())
 	assert.False(t, report.HasVulnerabilityReport())
 }
+
+func TestNotVerifiedScanHandlerWithNotVerifiedJWT(t *testing.T) {
+	httpmock.Activate()
+	defer httpmock.DeactivateAndReset()
+
+	token := "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
+	securityScheme := auth.NewAuthorizationBearerSecurityScheme("token", &token)
+	operation := request.NewOperation("http://localhost:8080/", "GET", nil, nil, nil)
+
+	httpmock.RegisterResponder(operation.Method, operation.Request.URL.String(), httpmock.ResponderFromMultipleResponses(
+		[]*http.Response{
+			httpmock.NewBytesResponse(200, nil),
+			httpmock.NewBytesResponse(200, nil),
+		}, t.Log),
+	)
+	report, err := jwt.NotVerifiedScanHandler(operation, securityScheme)
+
+	assert.NoError(t, err)
+	assert.Equal(t, 2, httpmock.GetTotalCallCount())
+	assert.True(t, report.HasVulnerabilityReport())
+}