Merge pull request #209 from cerberauth/httpmethod-override-scan

Add HTTP Method override scan
cerberauth · Oct 22, 2024 · 39cb8e3 · 39cb8e3
2 parents ed5d68b + df2637a
commit 39cb8e3
Show file tree

Hide file tree

Showing 19 changed files with 682 additions and 152 deletions.
diff --git a/.github/workflows/scans.yml b/.github/workflows/scans.yml
@@ -97,6 +97,8 @@ jobs:
             url: "http://localhost:8080/cookies/samesite-none"
           - challenge: "misconfiguration.http_cookies"
             url: "http://localhost:8080/cookies/no-expiration"
+          - challenge: "misconfiguration.http_method_override"
+            url: "http://localhost:8080/cookies/http-method-override"
 
     steps:
       - uses: actions/checkout@v4

diff --git a/docs/vulnerabilities.mdx b/docs/vulnerabilities.mdx
@@ -6,17 +6,17 @@
 | Private Field Access                                                                                  | API1:2023 Broken Object Level Authorization | Medium   | |
 | Mass Assignment                                                                                       | API1:2023 Broken Object Level Authorization | Medium   | |
 | Authentication Bypass                                                                                 | API2:2023 Broken Authentication             | High     | ✅ |
-| [JWT `none` algorithm](./vulnerabilities/broken-authentication/jwt-alg-none.md)                       | API2:2023 Broken Authentication             | High     | ✅ |
-| [JWT blank secret](./vulnerabilities/broken-authentication/jwt-blank-secret.md)                       | API2:2023 Broken Authentication             | High     | ✅ |
+| [JWT `none` algorithm](./vulnerabilities/broken-authentication/jwt-alg-none.mdx)                       | API2:2023 Broken Authentication             | High     | ✅ |
+| [JWT blank secret](./vulnerabilities/broken-authentication/jwt-blank-secret.mdx)                       | API2:2023 Broken Authentication             | High     | ✅ |
 | JWT weak secret                                                                                       | API2:2023 Broken Authentication             | High     | ✅ |
-| [JWT Audience cross service relay attack](./vulnerabilities/broken-authentication/jwt-cross-service-relay-attack.md) | API2:2023 Broken Authentication             | High     | |
-| [JWT Null Signature](./vulnerabilities/broken-authentication/jwt-null-signature.md)                   | API2:2023 Broken Authentication             | High     | ✅ |
+| [JWT Audience cross service relay attack](./vulnerabilities/broken-authentication/jwt-cross-service-relay-attack.mdx) | API2:2023 Broken Authentication             | High     | |
+| [JWT Null Signature](./vulnerabilities/broken-authentication/jwt-null-signature.mdx)                   | API2:2023 Broken Authentication             | High     | ✅ |
 | JWT Algorithm Confusion                                                                               | API2:2023 Broken Authentication             | High     | ✅ |
 | JWT Signature not verified                                                                            | API2:2023 Broken Authentication             | High     | ✅ |
 | JWT Expired                                                                                           | API2:2023 Broken Authentication             | High     | |
 | Discoverable OpenAPI                                                                                  | API7:2023 Server Side Request Forgery       | Info     | ✅ |
 | Discoverable GraphQL Endpoint                                                                         | API7:2023 Server Side Request Forgery       | Info     | ✅ |
-| [GraphQL Introspection Enabled](./vulnerabilities/security-misconfiguration/graphql-introspection.md) | API7:2023 Server Side Request Forgery       | Info     | ✅ |
+| [GraphQL Introspection Enabled](./vulnerabilities/security-misconfiguration/graphql-introspection.mdx) | API8:2023 Security Misconfiguration         | Info     | ✅ |
 | Secrets Leak                                                                                          | API8:2023 Security Misconfiguration         | High     | |
 | Directory Listing                                                                                     | API8:2023 Security Misconfiguration         | Medium   | |
 | Private IP Disclosure                                                                                 | API8:2023 Security Misconfiguration         | Low      | |
@@ -26,6 +26,7 @@
 | No Cookie expiration                                                                                  | API8:2023 Security Misconfiguration         | Info     | ✅ |
 | No CORS Headers                                                                                       | API8:2023 Security Misconfiguration         | Info     | ✅ |
 | Permissive CORS Headers                                                                               | API8:2023 Security Misconfiguration         | Info     | ✅ |
+| [HTTP Method Override Enabled](./vulnerabilities/security-misconfiguration/http-method-allow-override.mdx)  | API8:2023 Security Misconfiguration         | Info - High     | ✅ | 
 | X-Content-Type-Options Header Not Set                                                                 | API8:2023 Security Misconfiguration         | Info     | ✅ |
 | X-Frame-Options Header Not Set                                                                        | API8:2023 Security Misconfiguration         | Info     | ✅ |
 | CSP Header Not Set                                                                                    | API8:2023 Security Misconfiguration         | Info     | ✅ |

diff --git a/docs/vulnerabilities/broken-authentication/jwt-alg-none.mdx b/docs/vulnerabilities/broken-authentication/jwt-alg-none.mdx
@@ -7,35 +7,31 @@ import { Tabs } from 'nextra/components'
 # JWT None Algorithm
 
 <table>
-    <tr>
-        <th>Severity</th>
-        <td>High</td>
-    </tr>
-    <tr>
-        <th>CVEs</th>
-        <td>
-            <ul>
-                <li><a href="https://www.cve.org/CVERecord?id=CVE-2015-9235">CVE-2015-9235</a></li>
-                <li><a href="https://www.cve.org/CVERecord?id=CVE-2015-2951">CVE-2015-2951</a></li>
-            </ul>
-        </td>
-    </tr>
-    <tr>
-        <th>Classifications</th>
-        <td>
-            <ul>
-                <li><a href="https://cwe.mitre.org/data/definitions/345.html">CWE-345: Insufficient Verification of Data Authenticity</a></li>
-                <li><a href="https://cwe.mitre.org/data/definitions/327.html">CWE-327: Use of a Broken or Risky Cryptographic Algorithm</a></li>
-                <li><a href="https://cwe.mitre.org/data/definitions/20.html">CWE-20: Improper Input Validation</a></li>
-            </ul>
-        </td>
-    </tr>
-    <tr>
-        <th>OWASP Category</th>
-        <td>
-            <a href="https://owasp.org/API-Security/editions/2023/en/0xa2-broken-authentication/">OWASP API2:2023 Broken Authentication</a>
-        </td>
-    </tr>
+  <tr>
+    <th>Severity</th>
+    <td>High</td>
+  </tr>
+  <tr>
+    <th>CVEs</th>
+    <td>
+      * [CVE-2015-9235](https://www.cve.org/CVERecord?id=CVE-2015-9235)
+      * [CVE-2015-2951](https://www.cve.org/CVERecord?id=CVE-2015-2951)
+    </td>
+  </tr>
+  <tr>
+    <th>Classifications</th>
+    <td>
+      * [CWE-345: Insufficient Verification of Data Authenticity](https://cwe.mitre.org/data/definitions/345.html)
+      * [CWE-327: Use of a Broken or Risky Cryptographic Algorithm](https://cwe.mitre.org/data/definitions/327.html)
+      * [CWE-20: Improper Input Validation](https://cwe.mitre.org/data/definitions/20.html)
+    </td>
+  </tr>
+  <tr>
+    <th>OWASP Category</th>
+    <td>
+      [OWASP API2:2023 Broken Authentication](https://owasp.org/API-Security/editions/2023/en/0xa2-broken-authentication/)
+    </td>
+  </tr>
 </table>
 
 Accepting the "none" algorithm in a JSON Web Token (JWT) occurs when a JWT is signed with the "none" algorithm, it means there is no signature, making it easy for attackers to tamper with the token's content without detection. This can lead to unauthorized access and data manipulation.
@@ -86,7 +82,7 @@ If you want to test only the "JWT Alg None" vulnerability, you can use the follo
 <Tabs items={['cURL', 'OpenAPI', 'GraphQL']}>
   <Tabs.Tab>
 ```bash copy
-echo "vulnapi scan curl [url] -H "Authorization: Bearer eyJhbGciOiJSUzUxMiI..." --scans jwt.alg_none
+vulnapi scan curl [url] -H "Authorization: Bearer eyJhbGciOiJSUzUxMiI..." --scans jwt.alg_none
 ```
   </Tabs.Tab>
   <Tabs.Tab>
@@ -96,7 +92,7 @@ echo "eyJhbGciOiJSUzUxMiI..." | vulnapi scan openapi [OpenAPI_Path_Or_URL] --sca
   </Tabs.Tab>
   <Tabs.Tab>
 ```bash copy
-echo "eyJhbGciOiJSUzUxMiI..." | vulnapi scan graphql -H "Authorization: Bearer eyJhbGciOiJSUzUxMiI..." --scans jwt.alg_none [url]
+vulnapi scan graphql -H "Authorization: Bearer eyJhbGciOiJSUzUxMiI..." --scans jwt.alg_none [url]
 ```
   </Tabs.Tab>
 </Tabs>

diff --git a/docs/vulnerabilities/broken-authentication/jwt-blank-secret.mdx b/docs/vulnerabilities/broken-authentication/jwt-blank-secret.mdx
@@ -7,33 +7,29 @@ import { Tabs } from 'nextra/components'
 # JWT Blank Secret
 
 <table>
-    <tr>
-        <th>Severity</th>
-        <td>High</td>
-    </tr>
-    <tr>
-        <th>CVEs</th>
-        <td>
-            <ul>
-                <li><a href="https://www.cve.org/CVERecord?id=CVE-2019-20933">CVE-2019-20933</a></li>
-                <li><a href="https://www.cve.org/CVERecord?id=CVE-2020-28637">CVE-2020-28637</a></li>
-            </ul>
-        </td>
-    </tr>
-    <tr>
-        <th>Classifications</th>
-        <td>
-            <ul>
-                <a href="https://cwe.mitre.org/data/definitions/287.html">CWE-287: Improper Authentication</a>
-            </ul>
-        </td>
-    </tr>
-    <tr>
-        <th>OWASP Category</th>
-        <td>
-            <a href="https://owasp.org/API-Security/editions/2023/en/0xa2-broken-authentication/">OWASP API2:2023 Broken Authentication</a>
-        </td>
-    </tr>
+  <tr>
+    <th>Severity</th>
+    <td>High</td>
+  </tr>
+  <tr>
+    <th>CVEs</th>
+    <td>
+      * [CVE-2019-20933](https://www.cve.org/CVERecord?id=CVE-2019-20933)
+      * [CVE-2020-28637](https://www.cve.org/CVERecord?id=CVE-2020-28637)
+    </td>
+  </tr>
+  <tr>
+    <th>Classifications</th>
+    <td>
+      [CWE-287: Improper Authentication](https://cwe.mitre.org/data/definitions/287.html)
+    </td>
+  </tr>
+  <tr>
+    <th>OWASP Category</th>
+    <td>
+      [OWASP API2:2023 Broken Authentication](https://owasp.org/API-Security/editions/2023/en/0xa2-broken-authentication/)
+    </td>
+  </tr>
 </table>
 
 A vulnerability occurs when a JSON Web Token (JWT) is signed with an empty secret. In this scenario, the token lacks proper cryptographic protection, making it susceptible to manipulation. Attackers can modify the token's claims and content without detection, potentially leading to unauthorized access and data tampering.
@@ -77,7 +73,7 @@ If you want to test only the "JWT Blank Secret" vulnerability, you can use the f
 <Tabs items={['cURL', 'OpenAPI', 'GraphQL']}>
   <Tabs.Tab>
 ```bash copy
-echo "vulnapi scan curl [url] -H "Authorization: Bearer eyJhbGciOiJSUzUxMiI..." --scans jwt.blank_secret
+vulnapi scan curl [url] -H "Authorization: Bearer eyJhbGciOiJSUzUxMiI..." --scans jwt.blank_secret
 ```
   </Tabs.Tab>
   <Tabs.Tab>
@@ -87,7 +83,7 @@ echo "eyJhbGciOiJSUzUxMiI..." | vulnapi scan openapi [OpenAPI_Path_Or_URL] --sca
   </Tabs.Tab>
   <Tabs.Tab>
 ```bash copy
-echo "eyJhbGciOiJSUzUxMiI..." | vulnapi scan graphql -H "Authorization: Bearer eyJhbGciOiJSUzUxMiI..." --scans jwt.blank_secret [url]
+vulnapi scan graphql -H "Authorization: Bearer eyJhbGciOiJSUzUxMiI..." --scans jwt.blank_secret [url]
 ```
   </Tabs.Tab>
 </Tabs>

diff --git a/...ication/jwt-cross-service-relay-attack.md → ...cation/jwt-cross-service-relay-attack.mdx b/...ication/jwt-cross-service-relay-attack.md → ...cation/jwt-cross-service-relay-attack.mdx
@@ -5,24 +5,24 @@ description: A vulnerability arises when a JSON Web Token (JWT) is signed by the
 # JWT Cross Service Relay Attack
 
 <table>
-    <tr>
-        <th>Severity</th>
-        <td>High</td>
-    </tr>
-    <tr>
-        <th>CVEs</th>
-        <td></td>
-    </tr>
-    <tr>
-        <th>Classifications</th>
-        <td></td>
-    </tr>
-    <tr>
-        <th>OWASP Category</th>
-        <td>
-            <a href="https://owasp.org/API-Security/editions/2023/en/0xa2-broken-authentication/">OWASP API2:2023 Broken Authentication</a>
-        </td>
-    </tr>
+  <tr>
+    <th>Severity</th>
+    <td>High</td>
+  </tr>
+  <tr>
+    <th>CVEs</th>
+    <td></td>
+  </tr>
+  <tr>
+    <th>Classifications</th>
+    <td></td>
+  </tr>
+  <tr>
+    <th>OWASP Category</th>
+    <td>
+      [OWASP API2:2023 Broken Authentication](https://owasp.org/API-Security/editions/2023/en/0xa2-broken-authentication/)
+    </td>
+  </tr>
 </table>
 
 A vulnerability arises when a JSON Web Token (JWT) is signed by the same service but doesn't verify the issuer (the source of the token) and the audience (the intended recipient). This can lead to security risks, as it means an attacker could create a forged JWT with the same service signature and manipulate the issuer and audience fields. Without proper verification, the service may accept the forged token, potentially granting unauthorized access or compromising the system's security.

diff --git a/docs/vulnerabilities/broken-authentication/jwt-null-signature.mdx b/docs/vulnerabilities/broken-authentication/jwt-null-signature.mdx
@@ -7,32 +7,28 @@ import { Tabs } from 'nextra/components'
 # JWT Null Signature
 
 <table>
-    <tr>
-        <th>Severity</th>
-        <td>High</td>
-    </tr>
-    <tr>
-        <th>CVEs</th>
-        <td>
-            <ul>
-                <li><a href="https://www.cve.org/CVERecord?id=CVE-2020-28042">CVE-2020-28042</a></li>
-            </ul>
-        </td>
-    </tr>
-    <tr>
-        <th>Classifications</th>
-        <td>
-            <ul>
-                <li><a href="https://cwe.mitre.org/data/definitions/327.html">CWE-327: Use of a Broken or Risky Cryptographic Algorithm</a></li>
-            </ul>
-        </td>
-    </tr>
-    <tr>
-        <th>OWASP Category</th>
-        <td>
-            <a href="https://owasp.org/API-Security/editions/2023/en/0xa2-broken-authentication/">OWASP API2:2023 Broken Authentication</a>
-        </td>
-    </tr>
+  <tr>
+    <th>Severity</th>
+    <td>High</td>
+  </tr>
+  <tr>
+    <th>CVEs</th>
+    <td>
+      * [CVE-2020-28042](https://www.cve.org/CVERecord?id=CVE-2020-28042)
+    </td>
+  </tr>
+  <tr>
+    <th>Classifications</th>
+    <td>
+      [CWE-327: Use of a Broken or Risky Cryptographic Algorithm](https://cwe.mitre.org/data/definitions/327.html)
+    </td>
+  </tr>
+  <tr>
+    <th>OWASP Category</th>
+    <td>
+      [OWASP API2:2023 Broken Authentication](https://owasp.org/API-Security/editions/2023/en/0xa2-broken-authentication/)
+    </td>
+  </tr>
 </table>
 
 The "JWT Null Signature" vulnerability occurs when a JSON Web Token (JWT) lacks a signature part, allowing attackers to manipulate the token's content potentially leading to unauthorized access and data tampering.
@@ -78,7 +74,7 @@ If you want to test only the "JWT Null Signature" vulnerability, you can use the
 <Tabs items={['cURL', 'OpenAPI', 'GraphQL']}>
   <Tabs.Tab>
 ```bash copy
-echo "vulnapi scan curl [url] -H "Authorization: Bearer eyJhbGciOiJSUzUxMiI..." --scans jwt.null_signature
+vulnapi scan curl [url] -H "Authorization: Bearer eyJhbGciOiJSUzUxMiI..." --scans jwt.null_signature
 ```
   </Tabs.Tab>
   <Tabs.Tab>
@@ -88,7 +84,7 @@ echo "eyJhbGciOiJSUzUxMiI..." | vulnapi scan openapi [OpenAPI_Path_Or_URL] --sca
   </Tabs.Tab>
   <Tabs.Tab>
 ```bash copy
-echo "eyJhbGciOiJSUzUxMiI..." | vulnapi scan graphql -H "Authorization: Bearer eyJhbGciOiJSUzUxMiI..." --scans jwt.null_signature [url]
+vulnapi scan graphql -H "Authorization: Bearer eyJhbGciOiJSUzUxMiI..." --scans jwt.null_signature [url]
 ```
   </Tabs.Tab>
 </Tabs>

diff --git a/docs/vulnerabilities/broken-authentication/jwt-weak-secret.mdx b/docs/vulnerabilities/broken-authentication/jwt-weak-secret.mdx
@@ -7,35 +7,31 @@ import { Tabs } from 'nextra/components'
 # JWT Weak Secret
 
 <table>
-    <tr>
-        <th>Severity</th>
-        <td>High</td>
-    </tr>
-    <tr>
-        <th>CVEs</th>
-        <td>
-            <ul>
-                <li><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-27172">CVE-2023-27172</a></li>
-                <li><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-46943">CVE-2023-46943</a></li>
-            </ul>
-        </td>
-    </tr>
-    <tr>
-        <th>Classifications</th>
-        <td>
-            <ul>
-                <li><a href="https://cwe.mitre.org/data/definitions/287.html">CWE-287: Improper Authentication</a></li>
-                <li><a href="https://cwe.mitre.org/data/definitions/307.html">CWE-307: Improper Restriction of Excessive Authentication Attempts</a></li>
-                <li><a href="https://cwe.mitre.org/data/definitions/798.html">CWE-798: Use of Hard-coded Credentials</a></li>
-            </ul>
-        </td>
-    </tr>
-    <tr>
-        <th>OWASP Category</th>
-        <td>
-            <a href="https://owasp.org/API-Security/editions/2023/en/0xa2-broken-authentication/">OWASP API2:2023 Broken Authentication</a>
-        </td>
-    </tr>
+  <tr>
+    <th>Severity</th>
+    <td>High</td>
+  </tr>
+  <tr>
+    <th>CVEs</th>
+    <td>
+      * [CVE-2023-27172](https://nvd.nist.gov/vuln/detail/CVE-2023-27172)
+      * [CVE-2023-46943](https://nvd.nist.gov/vuln/detail/CVE-2023-46943)
+    </td>
+  </tr>
+  <tr>
+    <th>Classifications</th>
+    <td>
+      * [CWE-287: Improper Authentication](https://cwe.mitre.org/data/definitions/287.html)
+      * [CWE-307: Improper Restriction of Excessive Authentication Attempts](https://cwe.mitre.org/data/definitions/307.html)
+      * [CWE-798: Use of Hard-coded Credentials](https://cwe.mitre.org/data/definitions/798.html)
+    </td>
+  </tr>
+  <tr>
+    <th>OWASP Category</th>
+    <td>
+      [OWASP API2:2023 Broken Authentication](https://owasp.org/API-Security/editions/2023/en/0xa2-broken-authentication/)
+    </td>
+  </tr>
 </table>
 
 A vulnerability occurs when a JSON Web Token (JWT) is signed with a common, a well-known, or a weak secret. In this scenario, the token lacks proper cryptographic protection, making it susceptible to manipulation. Attackers can find the secret then modify the token's claims and content without detection, potentially leading to unauthorized access and data tampering.
@@ -85,7 +81,7 @@ If you want to test only the "JWT Null Signature" vulnerability, you can use the
 <Tabs items={['cURL', 'OpenAPI', 'GraphQL']}>
   <Tabs.Tab>
 ```bash copy
-echo "vulnapi scan curl [url] -H "Authorization: Bearer eyJhbGciOiJSUzUxMiI..." --scans jwt.weak_secret
+vulnapi scan curl [url] -H "Authorization: Bearer eyJhbGciOiJSUzUxMiI..." --scans jwt.weak_secret
 ```
   </Tabs.Tab>
   <Tabs.Tab>
@@ -95,7 +91,7 @@ echo "eyJhbGciOiJSUzUxMiI..." | vulnapi scan openapi [OpenAPI_Path_Or_URL] --sca
   </Tabs.Tab>
   <Tabs.Tab>
 ```bash copy
-echo "eyJhbGciOiJSUzUxMiI..." | vulnapi scan graphql -H "Authorization: Bearer eyJhbGciOiJSUzUxMiI..." --scans jwt.weak_secret [url]
+vulnapi scan graphql -H "Authorization: Bearer eyJhbGciOiJSUzUxMiI..." --scans jwt.weak_secret [url]
 ```
   </Tabs.Tab>
 </Tabs>

diff --git a/docs/vulnerabilities/security-misconfiguration/_meta.json b/docs/vulnerabilities/security-misconfiguration/_meta.json
@@ -1,5 +1,8 @@
 {
   "graphql-introspection": {
     "title": "GraphQL Introspection Enabled"
+  },
+  "http-method-allow-override": {
+    "title": "HTTP Method Override Enabled"
   }
 }