Merge pull request #6 from cerberauth/jwt-not-verified-challenge

refactor: move jwt generation in the challenges and create commands
cerberauth · Sep 30, 2023 · 4f5a18f · 4f5a18f
2 parents 846d267 + eb66676
commit 4f5a18f
Show file tree

Hide file tree

Showing 20 changed files with 313 additions and 121 deletions.
diff --git a/challenges/jwt-alg-none-bypass/.gitignore b/challenges/jwt-alg-none-bypass/.gitignore
@@ -0,0 +1,14 @@
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+
+# Test binary, built with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+jwt-alg-none-bypass
diff --git a/challenges/jwt-alg-none-bypass/cmd/jwt/root.go b/challenges/jwt-alg-none-bypass/cmd/jwt/root.go
@@ -0,0 +1,26 @@
+package jwt
+
+import (
+	"fmt"
+	"log"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/spf13/cobra"
+)
+
+func NewJwtCmd() (jwtCmd *cobra.Command) {
+	jwtCmd = &cobra.Command{
+		Use: "jwt",
+		Run: func(cmd *cobra.Command, args []string) {
+			token := jwt.New(jwt.SigningMethodNone)
+			tokenString, err := token.SignedString(jwt.UnsafeAllowNoneSignatureType)
+			if err != nil {
+				log.Fatal(err)
+			}
+
+			fmt.Printf("Token example: %s", tokenString)
+		},
+	}
+
+	return jwtCmd
+}
diff --git a/challenges/jwt-alg-none-bypass/cmd/root.go b/challenges/jwt-alg-none-bypass/cmd/root.go
@@ -0,0 +1,29 @@
+package cmd
+
+import (
+	"os"
+
+	"github.com/cerberauth/vulns-challenges/challenges/jwt-alg-none-bypass/cmd/jwt"
+	"github.com/cerberauth/vulns-challenges/challenges/jwt-alg-none-bypass/cmd/serve"
+
+	"github.com/spf13/cobra"
+)
+
+func NewRootCmd() (cmd *cobra.Command) {
+	var rootCmd = &cobra.Command{}
+
+	rootCmd.AddCommand(serve.NewServeCmd())
+	rootCmd.AddCommand(jwt.NewJwtCmd())
+
+	return rootCmd
+}
+
+// Execute adds all child commands to the root command and sets flags appropriately.
+// This is called by main.main(). It only needs to happen once to the RootCmd.
+func Execute() {
+	c := NewRootCmd()
+
+	if err := c.Execute(); err != nil {
+		os.Exit(1)
+	}
+}
diff --git a/challenges/jwt-alg-none-bypass/cmd/serve/root.go b/challenges/jwt-alg-none-bypass/cmd/serve/root.go
@@ -0,0 +1,18 @@
+package serve
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/cerberauth/vulns-challenges/challenges/jwt-alg-none-bypass/serve"
+)
+
+func NewServeCmd() (serveCmd *cobra.Command) {
+	serveCmd = &cobra.Command{
+		Use: "serve",
+		Run: func(cmd *cobra.Command, args []string) {
+			serve.RunServer()
+		},
+	}
+
+	return serveCmd
+}
diff --git a/challenges/jwt-alg-none-bypass/go.mod b/challenges/jwt-alg-none-bypass/go.mod
@@ -2,4 +2,12 @@ module github.com/cerberauth/vulns-challenges/challenges/jwt-alg-none-bypass
 
 go 1.20
 
-require github.com/golang-jwt/jwt/v5 v5.0.0 // indirect
+require (
+	github.com/golang-jwt/jwt/v5 v5.0.0
+	github.com/spf13/cobra v1.7.0
+)
+
+require (
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+)
diff --git a/challenges/jwt-alg-none-bypass/go.sum b/challenges/jwt-alg-none-bypass/go.sum
@@ -1,2 +1,12 @@
+github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE=
 github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
+github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
+github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
+github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff --git a/challenges/jwt-alg-none-bypass/main.go b/challenges/jwt-alg-none-bypass/main.go
@@ -1,51 +1,7 @@
 package main
 
-import (
-	"fmt"
-	"log"
-	"net/http"
-	"strings"
-
-	"github.com/golang-jwt/jwt/v5"
-)
+import "github.com/cerberauth/vulns-challenges/challenges/jwt-alg-none-bypass/cmd"
 
 func main() {
-	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
-		authorizationHeader := r.Header.Get("authorization")
-		if authorizationHeader == "" {
-			w.WriteHeader(401)
-			return
-		}
-
-		parts := strings.Split(authorizationHeader, "Bearer")
-		if len(parts) != 2 {
-			w.WriteHeader(401)
-			return
-		}
-
-		tokenString := strings.TrimSpace(parts[1])
-		token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
-			// fake vulnerability
-			if token.Method.Alg() == "none" {
-				return jwt.UnsafeAllowNoneSignatureType, nil
-			}
-
-			if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
-				return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
-			}
-
-			return []byte("my_secret_key"), nil
-		})
-
-		if token != nil && token.Valid {
-			w.WriteHeader(204)
-		} else {
-			fmt.Println(err)
-			w.WriteHeader(401)
-		}
-	})
-
-	if err := http.ListenAndServe(":8080", nil); err != nil {
-		log.Fatal(err)
-	}
+	cmd.Execute()
 }
diff --git a/challenges/jwt-alg-none-bypass/serve/server.go b/challenges/jwt-alg-none-bypass/serve/server.go
@@ -0,0 +1,50 @@
+package serve
+
+import (
+	"fmt"
+	"log"
+	"net/http"
+	"strings"
+
+	"github.com/golang-jwt/jwt/v5"
+)
+
+func RunServer() {
+	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		authorizationHeader := r.Header.Get("authorization")
+		if authorizationHeader == "" {
+			w.WriteHeader(401)
+			return
+		}
+
+		parts := strings.Split(authorizationHeader, "Bearer")
+		if len(parts) != 2 {
+			w.WriteHeader(401)
+			return
+		}
+
+		tokenString := strings.TrimSpace(parts[1])
+		token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
+			// fake vulnerability
+			if token.Method.Alg() == "none" {
+				return jwt.UnsafeAllowNoneSignatureType, nil
+			}
+
+			if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
+				return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
+			}
+
+			return []byte("my_secret_key"), nil
+		})
+
+		if token != nil && token.Valid {
+			w.WriteHeader(204)
+		} else {
+			fmt.Println(err)
+			w.WriteHeader(401)
+		}
+	})
+
+	log.Println("starting server")
+	log.Fatal(http.ListenAndServe(":8080", nil))
+}
diff --git a/challenges/jwt-weak-hmac-secret/.gitignore b/challenges/jwt-weak-hmac-secret/.gitignore
@@ -0,0 +1,14 @@
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+
+# Test binary, built with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+jwt-weak-hmac-secret
diff --git a/challenges/jwt-weak-hmac-secret/cmd/jwt/root.go b/challenges/jwt-weak-hmac-secret/cmd/jwt/root.go
@@ -0,0 +1,26 @@
+package jwt
+
+import (
+	"fmt"
+	"log"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/spf13/cobra"
+)
+
+func NewJwtCmd() (jwtCmd *cobra.Command) {
+	jwtCmd = &cobra.Command{
+		Use: "jwt",
+		Run: func(cmd *cobra.Command, args []string) {
+			token := jwt.New(jwt.SigningMethodHS256)
+			tokenString, err := token.SignedString([]byte("secret"))
+			if err != nil {
+				log.Fatal(err)
+			}
+
+			fmt.Printf("Token example: %s", tokenString)
+		},
+	}
+
+	return jwtCmd
+}
diff --git a/challenges/jwt-weak-hmac-secret/cmd/root.go b/challenges/jwt-weak-hmac-secret/cmd/root.go
@@ -0,0 +1,29 @@
+package cmd
+
+import (
+	"os"
+
+	"github.com/cerberauth/vulns-challenges/challenges/jwt-weak-hmac-secret/cmd/jwt"
+	"github.com/cerberauth/vulns-challenges/challenges/jwt-weak-hmac-secret/cmd/serve"
+
+	"github.com/spf13/cobra"
+)
+
+func NewRootCmd() (cmd *cobra.Command) {
+	var rootCmd = &cobra.Command{}
+
+	rootCmd.AddCommand(serve.NewServeCmd())
+	rootCmd.AddCommand(jwt.NewJwtCmd())
+
+	return rootCmd
+}
+
+// Execute adds all child commands to the root command and sets flags appropriately.
+// This is called by main.main(). It only needs to happen once to the RootCmd.
+func Execute() {
+	c := NewRootCmd()
+
+	if err := c.Execute(); err != nil {
+		os.Exit(1)
+	}
+}
diff --git a/challenges/jwt-weak-hmac-secret/cmd/serve/root.go b/challenges/jwt-weak-hmac-secret/cmd/serve/root.go
@@ -0,0 +1,18 @@
+package serve
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/cerberauth/vulns-challenges/challenges/jwt-weak-hmac-secret/serve"
+)
+
+func NewServeCmd() (serveCmd *cobra.Command) {
+	serveCmd = &cobra.Command{
+		Use: "serve",
+		Run: func(cmd *cobra.Command, args []string) {
+			serve.RunServer()
+		},
+	}
+
+	return serveCmd
+}
diff --git a/challenges/jwt-weak-hmac-secret/go.mod b/challenges/jwt-weak-hmac-secret/go.mod
@@ -2,4 +2,12 @@ module github.com/cerberauth/vulns-challenges/challenges/jwt-weak-hmac-secret
 
 go 1.20
 
-require github.com/golang-jwt/jwt/v5 v5.0.0 // indirect
+require (
+	github.com/golang-jwt/jwt/v5 v5.0.0
+	github.com/spf13/cobra v1.7.0
+)
+
+require (
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+)
diff --git a/challenges/jwt-weak-hmac-secret/go.sum b/challenges/jwt-weak-hmac-secret/go.sum
@@ -0,0 +1,12 @@
+github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE=
+github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
+github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
+github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
+github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff --git a/challenges/jwt-weak-hmac-secret/main.go b/challenges/jwt-weak-hmac-secret/main.go
@@ -1,46 +1,7 @@
 package main
 
-import (
-	"fmt"
-	"log"
-	"net/http"
-	"strings"
-
-	"github.com/golang-jwt/jwt/v5"
-)
+import "github.com/cerberauth/vulns-challenges/challenges/jwt-weak-hmac-secret/cmd"
 
 func main() {
-	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
-		authorizationHeader := r.Header.Get("authorization")
-		if authorizationHeader == "" {
-			w.WriteHeader(401)
-			return
-		}
-
-		parts := strings.Split(authorizationHeader, "Bearer")
-		if len(parts) != 2 {
-			w.WriteHeader(401)
-			return
-		}
-
-		tokenString := strings.TrimSpace(parts[1])
-		token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
-			if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
-				return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
-			}
-
-			return []byte("secret"), nil
-		})
-
-		if token != nil && token.Valid {
-			w.WriteHeader(204)
-		} else {
-			fmt.Println(err)
-			w.WriteHeader(401)
-		}
-	})
-
-	if err := http.ListenAndServe(":8080", nil); err != nil {
-		log.Fatal(err)
-	}
+	cmd.Execute()
 }