diff --git a/scan/jwt/not_verified.go b/scan/jwt/not_verified.go index 415562d..d712de7 100644 --- a/scan/jwt/not_verified.go +++ b/scan/jwt/not_verified.go @@ -22,24 +22,23 @@ func NotVerifiedScanHandler(operation *request.Operation, ss auth.SecurityScheme } valueWriter := ss.GetValidValueWriter().(*jwt.JWTWriter) - newTokenA, err := valueWriter.SignWithMethodAndKey(jwtlib.SigningMethodHS256, []byte("a")) - if err != nil { - return r, err + method := jwtlib.SigningMethodHS256 + if valueWriter.Token.Method == method { + method = jwtlib.SigningMethodHS384 } - - newTokenB, err := valueWriter.SignWithMethodAndKey(jwtlib.SigningMethodHS256, []byte("b")) + newToken, err := valueWriter.SignWithMethodAndKey(method, []byte("a")) if err != nil { return r, err } - ss.SetAttackValue(newTokenA) + ss.SetAttackValue(ss.GetValidValue()) vsa1, err := scan.ScanURL(operation, &ss) if err != nil { return r, err } r.AddScanAttempt(vsa1) - ss.SetAttackValue(newTokenB) + ss.SetAttackValue(newToken) vsa2, err := scan.ScanURL(operation, &ss) if err != nil { return r, err @@ -48,7 +47,7 @@ func NotVerifiedScanHandler(operation *request.Operation, ss auth.SecurityScheme r.AddScanAttempt(vsa2) r.End() - if vsa1.Response.StatusCode != vsa2.Response.StatusCode { + if vsa1.Response.StatusCode == vsa2.Response.StatusCode { r.AddVulnerabilityReport(&report.VulnerabilityReport{ SeverityLevel: NotVerifiedVulnerabilitySeverityLevel, Name: NotVerifiedVulnerabilityName, diff --git a/scan/jwt/not_verified_test.go b/scan/jwt/not_verified_test.go index 6ec030c..cef4c73 100644 --- a/scan/jwt/not_verified_test.go +++ b/scan/jwt/not_verified_test.go @@ -1,6 +1,7 @@ package jwt_test import ( + "net/http" "testing" "github.com/cerberauth/vulnapi/internal/auth" @@ -34,11 +35,36 @@ func TestNotVerifiedScanHandler(t *testing.T) { securityScheme := auth.NewAuthorizationBearerSecurityScheme("token", &token) operation := request.NewOperation("http://localhost:8080/", "GET", nil, nil, nil) - httpmock.RegisterResponder(operation.Method, operation.Request.URL.String(), httpmock.NewBytesResponder(401, nil)) - + httpmock.RegisterResponder(operation.Method, operation.Request.URL.String(), httpmock.ResponderFromMultipleResponses( + []*http.Response{ + httpmock.NewBytesResponse(200, nil), + httpmock.NewBytesResponse(401, nil), + }, t.Log), + ) report, err := jwt.NotVerifiedScanHandler(operation, securityScheme) assert.NoError(t, err) assert.Equal(t, 2, httpmock.GetTotalCallCount()) assert.False(t, report.HasVulnerabilityReport()) } + +func TestNotVerifiedScanHandlerWithNotVerifiedJWT(t *testing.T) { + httpmock.Activate() + defer httpmock.DeactivateAndReset() + + token := "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c" + securityScheme := auth.NewAuthorizationBearerSecurityScheme("token", &token) + operation := request.NewOperation("http://localhost:8080/", "GET", nil, nil, nil) + + httpmock.RegisterResponder(operation.Method, operation.Request.URL.String(), httpmock.ResponderFromMultipleResponses( + []*http.Response{ + httpmock.NewBytesResponse(200, nil), + httpmock.NewBytesResponse(200, nil), + }, t.Log), + ) + report, err := jwt.NotVerifiedScanHandler(operation, securityScheme) + + assert.NoError(t, err) + assert.Equal(t, 2, httpmock.GetTotalCallCount()) + assert.True(t, report.HasVulnerabilityReport()) +}