diff --git a/challenges/jwt-alg-none-bypass/.gitignore b/challenges/jwt-alg-none-bypass/.gitignore new file mode 100644 index 0000000..a9d8ef1 --- /dev/null +++ b/challenges/jwt-alg-none-bypass/.gitignore @@ -0,0 +1,14 @@ +# Binaries for programs and plugins +*.exe +*.exe~ +*.dll +*.so +*.dylib + +# Test binary, built with `go test -c` +*.test + +# Output of the go coverage tool, specifically when used with LiteIDE +*.out + +jwt-alg-none-bypass diff --git a/challenges/jwt-alg-none-bypass/cmd/jwt/root.go b/challenges/jwt-alg-none-bypass/cmd/jwt/root.go new file mode 100644 index 0000000..c3d13a1 --- /dev/null +++ b/challenges/jwt-alg-none-bypass/cmd/jwt/root.go @@ -0,0 +1,26 @@ +package jwt + +import ( + "fmt" + "log" + + "github.com/golang-jwt/jwt/v5" + "github.com/spf13/cobra" +) + +func NewJwtCmd() (jwtCmd *cobra.Command) { + jwtCmd = &cobra.Command{ + Use: "jwt", + Run: func(cmd *cobra.Command, args []string) { + token := jwt.New(jwt.SigningMethodNone) + tokenString, err := token.SignedString(jwt.UnsafeAllowNoneSignatureType) + if err != nil { + log.Fatal(err) + } + + fmt.Printf("Token example: %s", tokenString) + }, + } + + return jwtCmd +} diff --git a/challenges/jwt-alg-none-bypass/cmd/root.go b/challenges/jwt-alg-none-bypass/cmd/root.go new file mode 100644 index 0000000..8786f33 --- /dev/null +++ b/challenges/jwt-alg-none-bypass/cmd/root.go @@ -0,0 +1,29 @@ +package cmd + +import ( + "os" + + "github.com/cerberauth/vulns-challenges/challenges/jwt-alg-none-bypass/cmd/jwt" + "github.com/cerberauth/vulns-challenges/challenges/jwt-alg-none-bypass/cmd/serve" + + "github.com/spf13/cobra" +) + +func NewRootCmd() (cmd *cobra.Command) { + var rootCmd = &cobra.Command{} + + rootCmd.AddCommand(serve.NewServeCmd()) + rootCmd.AddCommand(jwt.NewJwtCmd()) + + return rootCmd +} + +// Execute adds all child commands to the root command and sets flags appropriately. +// This is called by main.main(). It only needs to happen once to the RootCmd. +func Execute() { + c := NewRootCmd() + + if err := c.Execute(); err != nil { + os.Exit(1) + } +} diff --git a/challenges/jwt-alg-none-bypass/cmd/serve/root.go b/challenges/jwt-alg-none-bypass/cmd/serve/root.go new file mode 100644 index 0000000..2b33685 --- /dev/null +++ b/challenges/jwt-alg-none-bypass/cmd/serve/root.go @@ -0,0 +1,18 @@ +package serve + +import ( + "github.com/spf13/cobra" + + "github.com/cerberauth/vulns-challenges/challenges/jwt-alg-none-bypass/serve" +) + +func NewServeCmd() (serveCmd *cobra.Command) { + serveCmd = &cobra.Command{ + Use: "serve", + Run: func(cmd *cobra.Command, args []string) { + serve.RunServer() + }, + } + + return serveCmd +} diff --git a/challenges/jwt-alg-none-bypass/go.mod b/challenges/jwt-alg-none-bypass/go.mod index 847954f..c10a775 100644 --- a/challenges/jwt-alg-none-bypass/go.mod +++ b/challenges/jwt-alg-none-bypass/go.mod @@ -2,4 +2,12 @@ module github.com/cerberauth/vulns-challenges/challenges/jwt-alg-none-bypass go 1.20 -require github.com/golang-jwt/jwt/v5 v5.0.0 // indirect +require ( + github.com/golang-jwt/jwt/v5 v5.0.0 + github.com/spf13/cobra v1.7.0 +) + +require ( + github.com/inconshreveable/mousetrap v1.1.0 // indirect + github.com/spf13/pflag v1.0.5 // indirect +) diff --git a/challenges/jwt-alg-none-bypass/go.sum b/challenges/jwt-alg-none-bypass/go.sum index fcfb224..a342d71 100644 --- a/challenges/jwt-alg-none-bypass/go.sum +++ b/challenges/jwt-alg-none-bypass/go.sum @@ -1,2 +1,12 @@ +github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE= github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= +github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= +github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= +github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I= +github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0= +github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/challenges/jwt-alg-none-bypass/main.go b/challenges/jwt-alg-none-bypass/main.go index 9d85aef..ab4484c 100644 --- a/challenges/jwt-alg-none-bypass/main.go +++ b/challenges/jwt-alg-none-bypass/main.go @@ -1,51 +1,7 @@ package main -import ( - "fmt" - "log" - "net/http" - "strings" - - "github.com/golang-jwt/jwt/v5" -) +import "github.com/cerberauth/vulns-challenges/challenges/jwt-alg-none-bypass/cmd" func main() { - http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { - authorizationHeader := r.Header.Get("authorization") - if authorizationHeader == "" { - w.WriteHeader(401) - return - } - - parts := strings.Split(authorizationHeader, "Bearer") - if len(parts) != 2 { - w.WriteHeader(401) - return - } - - tokenString := strings.TrimSpace(parts[1]) - token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) { - // fake vulnerability - if token.Method.Alg() == "none" { - return jwt.UnsafeAllowNoneSignatureType, nil - } - - if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok { - return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"]) - } - - return []byte("my_secret_key"), nil - }) - - if token != nil && token.Valid { - w.WriteHeader(204) - } else { - fmt.Println(err) - w.WriteHeader(401) - } - }) - - if err := http.ListenAndServe(":8080", nil); err != nil { - log.Fatal(err) - } + cmd.Execute() } diff --git a/challenges/jwt-alg-none-bypass/serve/server.go b/challenges/jwt-alg-none-bypass/serve/server.go new file mode 100644 index 0000000..a6dad43 --- /dev/null +++ b/challenges/jwt-alg-none-bypass/serve/server.go @@ -0,0 +1,50 @@ +package serve + +import ( + "fmt" + "log" + "net/http" + "strings" + + "github.com/golang-jwt/jwt/v5" +) + +func RunServer() { + http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { + authorizationHeader := r.Header.Get("authorization") + if authorizationHeader == "" { + w.WriteHeader(401) + return + } + + parts := strings.Split(authorizationHeader, "Bearer") + if len(parts) != 2 { + w.WriteHeader(401) + return + } + + tokenString := strings.TrimSpace(parts[1]) + token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) { + // fake vulnerability + if token.Method.Alg() == "none" { + return jwt.UnsafeAllowNoneSignatureType, nil + } + + if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok { + return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"]) + } + + return []byte("my_secret_key"), nil + }) + + if token != nil && token.Valid { + w.WriteHeader(204) + } else { + fmt.Println(err) + w.WriteHeader(401) + } + }) + + log.Println("starting server") + log.Fatal(http.ListenAndServe(":8080", nil)) +} diff --git a/challenges/jwt-weak-hmac-secret/.gitignore b/challenges/jwt-weak-hmac-secret/.gitignore new file mode 100644 index 0000000..e9eb50d --- /dev/null +++ b/challenges/jwt-weak-hmac-secret/.gitignore @@ -0,0 +1,14 @@ +# Binaries for programs and plugins +*.exe +*.exe~ +*.dll +*.so +*.dylib + +# Test binary, built with `go test -c` +*.test + +# Output of the go coverage tool, specifically when used with LiteIDE +*.out + +jwt-weak-hmac-secret diff --git a/challenges/jwt-weak-hmac-secret/cmd/jwt/root.go b/challenges/jwt-weak-hmac-secret/cmd/jwt/root.go new file mode 100644 index 0000000..6051f6f --- /dev/null +++ b/challenges/jwt-weak-hmac-secret/cmd/jwt/root.go @@ -0,0 +1,26 @@ +package jwt + +import ( + "fmt" + "log" + + "github.com/golang-jwt/jwt/v5" + "github.com/spf13/cobra" +) + +func NewJwtCmd() (jwtCmd *cobra.Command) { + jwtCmd = &cobra.Command{ + Use: "jwt", + Run: func(cmd *cobra.Command, args []string) { + token := jwt.New(jwt.SigningMethodHS256) + tokenString, err := token.SignedString([]byte("secret")) + if err != nil { + log.Fatal(err) + } + + fmt.Printf("Token example: %s", tokenString) + }, + } + + return jwtCmd +} diff --git a/challenges/jwt-weak-hmac-secret/cmd/root.go b/challenges/jwt-weak-hmac-secret/cmd/root.go new file mode 100644 index 0000000..6bf3b5f --- /dev/null +++ b/challenges/jwt-weak-hmac-secret/cmd/root.go @@ -0,0 +1,29 @@ +package cmd + +import ( + "os" + + "github.com/cerberauth/vulns-challenges/challenges/jwt-weak-hmac-secret/cmd/jwt" + "github.com/cerberauth/vulns-challenges/challenges/jwt-weak-hmac-secret/cmd/serve" + + "github.com/spf13/cobra" +) + +func NewRootCmd() (cmd *cobra.Command) { + var rootCmd = &cobra.Command{} + + rootCmd.AddCommand(serve.NewServeCmd()) + rootCmd.AddCommand(jwt.NewJwtCmd()) + + return rootCmd +} + +// Execute adds all child commands to the root command and sets flags appropriately. +// This is called by main.main(). It only needs to happen once to the RootCmd. +func Execute() { + c := NewRootCmd() + + if err := c.Execute(); err != nil { + os.Exit(1) + } +} diff --git a/challenges/jwt-weak-hmac-secret/cmd/serve/root.go b/challenges/jwt-weak-hmac-secret/cmd/serve/root.go new file mode 100644 index 0000000..7ac5295 --- /dev/null +++ b/challenges/jwt-weak-hmac-secret/cmd/serve/root.go @@ -0,0 +1,18 @@ +package serve + +import ( + "github.com/spf13/cobra" + + "github.com/cerberauth/vulns-challenges/challenges/jwt-weak-hmac-secret/serve" +) + +func NewServeCmd() (serveCmd *cobra.Command) { + serveCmd = &cobra.Command{ + Use: "serve", + Run: func(cmd *cobra.Command, args []string) { + serve.RunServer() + }, + } + + return serveCmd +} diff --git a/challenges/jwt-weak-hmac-secret/go.mod b/challenges/jwt-weak-hmac-secret/go.mod index bb44ebe..2c45334 100644 --- a/challenges/jwt-weak-hmac-secret/go.mod +++ b/challenges/jwt-weak-hmac-secret/go.mod @@ -2,4 +2,12 @@ module github.com/cerberauth/vulns-challenges/challenges/jwt-weak-hmac-secret go 1.20 -require github.com/golang-jwt/jwt/v5 v5.0.0 // indirect +require ( + github.com/golang-jwt/jwt/v5 v5.0.0 + github.com/spf13/cobra v1.7.0 +) + +require ( + github.com/inconshreveable/mousetrap v1.1.0 // indirect + github.com/spf13/pflag v1.0.5 // indirect +) diff --git a/challenges/jwt-weak-hmac-secret/go.sum b/challenges/jwt-weak-hmac-secret/go.sum new file mode 100644 index 0000000..a342d71 --- /dev/null +++ b/challenges/jwt-weak-hmac-secret/go.sum @@ -0,0 +1,12 @@ +github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE= +github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= +github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= +github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= +github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I= +github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0= +github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/challenges/jwt-weak-hmac-secret/main.go b/challenges/jwt-weak-hmac-secret/main.go index b0f82a5..11c75ba 100644 --- a/challenges/jwt-weak-hmac-secret/main.go +++ b/challenges/jwt-weak-hmac-secret/main.go @@ -1,46 +1,7 @@ package main -import ( - "fmt" - "log" - "net/http" - "strings" - - "github.com/golang-jwt/jwt/v5" -) +import "github.com/cerberauth/vulns-challenges/challenges/jwt-weak-hmac-secret/cmd" func main() { - http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { - authorizationHeader := r.Header.Get("authorization") - if authorizationHeader == "" { - w.WriteHeader(401) - return - } - - parts := strings.Split(authorizationHeader, "Bearer") - if len(parts) != 2 { - w.WriteHeader(401) - return - } - - tokenString := strings.TrimSpace(parts[1]) - token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) { - if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok { - return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"]) - } - - return []byte("secret"), nil - }) - - if token != nil && token.Valid { - w.WriteHeader(204) - } else { - fmt.Println(err) - w.WriteHeader(401) - } - }) - - if err := http.ListenAndServe(":8080", nil); err != nil { - log.Fatal(err) - } + cmd.Execute() } diff --git a/challenges/jwt-weak-hmac-secret/serve/server.go b/challenges/jwt-weak-hmac-secret/serve/server.go new file mode 100644 index 0000000..21b201d --- /dev/null +++ b/challenges/jwt-weak-hmac-secret/serve/server.go @@ -0,0 +1,45 @@ +package serve + +import ( + "fmt" + "log" + "net/http" + "strings" + + "github.com/golang-jwt/jwt/v5" +) + +func RunServer() { + http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { + authorizationHeader := r.Header.Get("authorization") + if authorizationHeader == "" { + w.WriteHeader(401) + return + } + + parts := strings.Split(authorizationHeader, "Bearer") + if len(parts) != 2 { + w.WriteHeader(401) + return + } + + tokenString := strings.TrimSpace(parts[1]) + token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) { + if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok { + return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"]) + } + + return []byte("secret"), nil + }) + + if token != nil && token.Valid { + w.WriteHeader(204) + } else { + fmt.Println(err) + w.WriteHeader(401) + } + }) + + log.Println("starting server") + log.Fatal(http.ListenAndServe(":8080", nil)) +} diff --git a/go.work b/go.work deleted file mode 100644 index 2e9533f..0000000 --- a/go.work +++ /dev/null @@ -1,6 +0,0 @@ -go 1.20 - -use ( - ./challenges/jwt-alg-none-bypass - ./tools -) diff --git a/tools/go.mod b/tools/go.mod deleted file mode 100644 index fcba25e..0000000 --- a/tools/go.mod +++ /dev/null @@ -1,5 +0,0 @@ -module tools - -go 1.20 - -require github.com/golang-jwt/jwt/v5 v5.0.0 diff --git a/tools/go.sum b/tools/go.sum deleted file mode 100644 index fcfb224..0000000 --- a/tools/go.sum +++ /dev/null @@ -1,2 +0,0 @@ -github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE= -github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= diff --git a/tools/jwt_generator.go b/tools/jwt_generator.go deleted file mode 100644 index 3a6ce65..0000000 --- a/tools/jwt_generator.go +++ /dev/null @@ -1,19 +0,0 @@ -package main - -import ( - "fmt" - - "github.com/golang-jwt/jwt/v5" -) - -func main() { - // Generate JWT with alg none - // token := jwt.New(jwt.SigningMethodNone) - // tokenString, err := token.SignedString(jwt.UnsafeAllowNoneSignatureType) - - // Generate JWT with weak HMAC secret - token := jwt.New(jwt.SigningMethodHS256) - tokenString, err := token.SignedString([]byte("secret")) - - fmt.Println(tokenString, err) -}