Skip to content

Commit

Permalink
Merge pull request #105 from blacklanternsecurity/custom_keys_tolerance
Browse files Browse the repository at this point in the history
fixing jsf_viewstate custom secrets issue
  • Loading branch information
liquidsec authored Dec 21, 2023
2 parents 9aff72d + 3eb8096 commit 429cc38
Show file tree
Hide file tree
Showing 3 changed files with 48 additions and 4 deletions.
2 changes: 1 addition & 1 deletion badsecrets/examples/cli.py
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@
def print_version():
version = pkg_resources.get_distribution("badsecrets").version
if version == "0.0.0":
version = "Version Unknown (Running w/poetry?)"
version = "ersion Unknown (Running w/poetry?)"
print(f"v{version}\n")


Expand Down
15 changes: 12 additions & 3 deletions badsecrets/modules/jsf_viewstate.py
Original file line number Diff line number Diff line change
Expand Up @@ -243,7 +243,10 @@ def check_secret(self, jsf_viewstate_value):

# Mojarra decryption
for l in self.load_resources(["jsf_viewstate_passwords_b64.txt"]):
password_bytes = base64.b64decode(l.rstrip())
try:
password_bytes = base64.b64decode(l.rstrip())
except binascii.Error:
continue
decrypted = self.AES_decrypt(jsf_viewstate_value, password_bytes)

if decrypted:
Expand Down Expand Up @@ -279,7 +282,10 @@ def check_secret(self, jsf_viewstate_value):

# Attempt to solve mac_key
for l in self.load_resources(["jsf_viewstate_passwords_b64.txt"]):
password_bytes = base64.b64decode(l.rstrip())
try:
password_bytes = base64.b64decode(l.rstrip())
except binascii.Error:
continue
myfaces_solved_mac_key, myfaces_solved_mac_algo = self.myfaces_mac(ct_bytes, password_bytes)
if myfaces_solved_mac_key:
break
Expand All @@ -297,7 +303,10 @@ def check_secret(self, jsf_viewstate_value):
hash_sizes = self.hash_sizes.values()

for l in self.load_resources(["jsf_viewstate_passwords_b64.txt"]):
password_bytes = base64.b64decode(l.rstrip())
try:
password_bytes = base64.b64decode(l.rstrip())
except binascii.Error:
continue
(
myfaces_solved_decryption_key,
myfaces_solved_decryption_algo,
Expand Down
35 changes: 35 additions & 0 deletions tests/examples_cli_test.py
Original file line number Diff line number Diff line change
Expand Up @@ -503,6 +503,41 @@ def test_example_cli_customsecrets_toolarge(monkeypatch, capsys):
assert "exceeds the maximum limit of 100KB!" in captured.out


def test_example_cli_customsecrets_urlmode_expressbase64(monkeypatch, capsys):
base_vulnerable_page_jsf_custom = """
<p><input type="hidden" name="javax.faces.ViewState" id="j_id__v_0:javax.faces.ViewState:1" value="AHo0wmLu5ceItIi+I7XkEi1GAb4h12WZ894pA+Z4OH7bco2jXEy1RSCWwjtJcZNbWPcvPqL5zzfl03DoeMZfGGX7a9PSv+fUT8MAeKNouAGj1dZuO8srXt8xZIGg+wPCWWCzcX6IhWOtgWUwiXeSojCDTKXklsYt+kzlVBk5wOsXvb2lTJoO0Q==" autocomplete="off" />
"""

with tempfile.NamedTemporaryFile("w+t", delete=False) as f:
f.write("base64:aGFja3RoZXBsYW5ldA==")
f.flush()

with requests_mock.Mocker() as m:
m.get(
f"http://example.com/vulnerablejsf.html",
status_code=200,
text=base_vulnerable_page_jsf_custom,
)

monkeypatch.setattr(
"sys.argv",
[
"python",
"--url",
"http://example.com/vulnerablejsf.html",
"-c",
f.name,
],
)
cli.main()
captured = capsys.readouterr()
print(captured)
assert ("Including custom secrets list") in captured.out
assert (
"e496c62dfa4ce5541939c0eb17bdbda54c9a0ed1:007a34c262eee5c788b488be23b5e4122d4601be21d76599f3de2903e678387edb728da35c4cb5452096c23b4971935b58f72f3ea2f9cf37e5d370e878c65f1865fb6bd3d2bfe7d44fc30078a368b801a3d5d66e3bcb2b5edf316481a0fb03c25960b3717e888563ad816530897792a230834ca5"
) in captured.out


def test_example_cli_customsecrets_urlmode(monkeypatch, capsys):
base_vulnerable_page_aspnet_custom = """
<form method="post" action="./form.aspx" id="ctl00">
Expand Down

0 comments on commit 429cc38

Please sign in to comment.