JWT Fuzzer

[preetkaran20]

This is the part 2 of the JWT Addon where Fuzzer Capabilities are added for Fuzzing JWT token.

[preetkaran20]

This also adds JWT view to Http Fuzzer. Not sure if there is any way to handle this. Need to look back.
If we don't handle this then in Http Fuzzer it will look similar to JWT Fuzzer but working differs a lot wherein JWT fuzzer does many other things like Signing the token and chaning a field inside the token but http fuzzer just replaces the entire token @kingthorin @thc202 please suggest.

[thc202]

This is a good point, will check.

[preetkaran20]

This might not be an issue as same menu item is now used for HttpFuzzer and JWT fuzzer

[preetkaran20]

Added PR to reduce JWTFuzzerHandler code that is copied from HttpFuzzer.
zaproxy/zap-extensions#2421

[preetkaran20]

Hi @kingthorin and @thc202 ,

Following is the view of fuzzer:

I was in impression that in case of multiple message location each one message location replacer only modifies one http message at a time i.e. say if 2 message locations with one one value is there then 2 http messages will be generated and hence I introduced a field for specifying signature operation which is no signature, generate new signature and use old signature only. But as this is not the case hence this UI becomes invalid so i need to have this field applicable for all the message locations and hence it cannot be represent in message location so i was thinking of adding this field either in Options panel or in fuzzer policy. please suggest.

thanks,
Karan

[preetkaran20]

Hi @kingthorin and @thc202 ,

As i have already mentioned that Http view now contains the JWT view and it looks like this:

I am not sure if it is ok or we want to remove it and how can we remove it.

thanks,
Karan

[preetkaran20]

Seems fine to me. Still seems to be plenty if comments to yourself that are un-resolved though. Not sure how important those are/were.

i think they are outdated. However i will look at them once again for confirmation.

[preetkaran20]

Seems fine to me. Still seems to be plenty if comments to yourself that are un-resolved though. Not sure how important those are/were.

Yes i checked and they are outdated. One was regarding testing RSA, I have checked again and it is working fine.
Just waiting for @thc202 's review comments, so shall i merge these changes and track them as bugs (if it takes time) or shall i wait for some more days ? @kingthorin what is your suggestion ?

[thc202]

The Fuzzer add-on now allows to add views to just the the Fuzzer dialogue, through ExtensionFuzz#getClientMessagePanelManager and #getServerMessagePanelManager().

[preetkaran20]

@thc202, I am not sure which one to use also i tried using clientMessagePanelManager and i am getting null pointer. I am not sure why. I am thinking that clientMessagePanelManager gets initialized in initview and hence may be that is causing issue.

[thc202]

It would be the "client" which in HTTP maps to "request". That's right, that would have to be done later in the hook method (if there's view), by then the view of the fuzz extension is already initialised.

[thc202]

This should not be needed? (Core already catches exceptions that happen when hooking the extensions.)

[preetkaran20]

Sure.

[thc202]

For correctness the views need to be removed as well.

[preetkaran20]

the views created by the factory ?

[thc202]

Yes.

[thc202]

It would be better if the errors were more descriptive, the users will reporting issues with this message. I'd also suggest using a lower level (e.g. warn) if this is expected to happen. Error level should be used just for potential bugs/issues in the code.

[thc202]

Some comments to build.gradle.kts:

-addOnName.set("JWT Extension")
+addOnName.set("JWT Support") // Or something like that, add-ons are more than just extensions (e.g. this provides scan rules as well).

-implementation("org.zaproxy.addon:fuzz:13.0.0")
+compileOnly("org.zaproxy.addon:fuzz:13.0.0") // Might need testImplementation if you plan to add tests.

The dependencies block needs to have:

register("fuzz") {
    version.set("13.*")
}

[thc202]

Needs to be removed on #unload().

[thc202]

Same here.

[thc202]

The changelog could be updated to mention the new functionality.

[thc202]

Another comment for build.gradle.kts, under manifest it could have repo.set("https://github.com/SasanLabs/owasp-zap-jwt-addon/"), that's shown in the marketplace (site and ZAP).

[preetkaran20]

Some comments to build.gradle.kts:

-addOnName.set("JWT Extension")
+addOnName.set("JWT Support") // Or something like that, add-ons are more than just extensions (e.g. this provides scan rules as well).

-implementation("org.zaproxy.addon:fuzz:13.0.0")
+compileOnly("org.zaproxy.addon:fuzz:13.0.0") // Might need testImplementation if you plan to add tests.

The dependencies block needs to have:

register("fuzz") {
    version.set("13.*")
}

what does register doing here ? i didn't got the use ? can you please explain.

[thc202]

Sorry, that was not clear, that's for the dependencies under the manifest, to declare that the JWT add-on depends on the Fuzzer add-on (and that range version). Like was done for the Common Library.

[thc202]

The add-on is not filling the "changes" entry of the manifest, since the add-on has a changelog you can add:

changesFile.set(tasks.named<ConvertMarkdownToHtml>("generateManifestChanges").flatMap { it.html })

to the manifest in build.gradle.kts. That's shown to the user to inform about the changes of the version installed or available in the marketplace.

[preetkaran20]

@thc202 while installing and working on new fuzz version i am facing null pointers while saving options panel:

[kingthorin]

The work around is referenced here: zaproxy/zaproxy#6136

[preetkaran20]

Hi @thc202 ,

I have incorporated changes suggested. Please review.

thanks,
Karan

[thc202]

This is a bit misleading, there's no first version (released) yet. Maybe call it iteration? Or just add all under first version?

[preetkaran20]

done

[thc202]

These (and the options panel) should be added only if there's view (there's a hasView() method), to avoid creating unnecessary view components in daemon and command line modes. Same check would apply in unload.

[preetkaran20]

done.

[preetkaran20]

@thc202 done with the changes.

[preetkaran20]

Hi @thc202 @kingthorin ,

please review zaproxy/zaproxy-website#101 also.

thanks,
Karan

[thc202]

Looks good, thank you (especially for the patience)!

[preetkaran20]

Merging it now. Thanks @thc202 and @kingthorin

[preetkaran20]

@thc202 @kingthorin what next needs to be done for releasing this Project.

[thc202]

I think the following steps:

1. Update the changelog to reflect the new version, e.g.:

-## Unreleased
+## [1.0.0] - 2020-08-03
 
 - First version of JWT Support.
   - Contains scanning rules for basic JWT related vulnerabilities.
   - Contains JWT Fuzzer for fuzzing the JWT's present in the request.
+
+[1.0.0]: https://github.com/SasanLabs/owasp-zap-jwt-addon/releases/tag/v1.0.0

2. Tag (above example using v1.0.0) and push.
3. Build the add-on (with Java 8) and create a new release from the tag.

Once that's done we can release to the marketplace.

[preetkaran20]

Hi @thc202 @kingthorin

i have added the release https://github.com/SasanLabs/owasp-zap-jwt-addon/releases/tag/v1.0.0

thanks,
Karan

[kingthorin]

It doesn't seem to have the actual add-on (*.zap) attached?

[thc202]

Sorry for the typo in the date.

[preetkaran20]

Added the ".zap" file too.

[thc202]

The jar can be removed, that will not work in ZAP.