-
-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JWT Fuzzer #6
JWT Fuzzer #6
Conversation
src/main/java/org/zaproxy/zap/extension/jwt/fuzzer/ExtensionJWTFuzzer.java
Outdated
Show resolved
Hide resolved
src/main/java/org/zaproxy/zap/extension/jwt/fuzzer/ExtensionJWTFuzzer.java
Outdated
Show resolved
Hide resolved
src/main/java/org/zaproxy/zap/extension/jwt/fuzzer/ExtensionJWTFuzzer.java
Outdated
Show resolved
Hide resolved
src/main/java/org/zaproxy/zap/extension/jwt/fuzzer/ExtensionJWTFuzzer.java
Outdated
Show resolved
Hide resolved
src/main/java/org/zaproxy/zap/extension/jwt/fuzzer/ExtensionJWTFuzzer.java
Outdated
Show resolved
Hide resolved
ExtensionScript extensionScript = | ||
Control.getSingleton().getExtensionLoader().getExtension(ExtensionScript.class); | ||
HttpPanelManager panelManager = HttpPanelManager.getInstance(); | ||
panelManager.addRequestViewFactory( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This also adds JWT view to Http Fuzzer. Not sure if there is any way to handle this. Need to look back.
If we don't handle this then in Http Fuzzer it will look similar to JWT Fuzzer but working differs a lot wherein JWT fuzzer does many other things like Signing the token and chaning a field inside the token but http fuzzer just replaces the entire token @kingthorin @thc202 please suggest.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a good point, will check.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This might not be an issue as same menu item is now used for HttpFuzzer and JWT fuzzer
src/main/java/org/zaproxy/zap/extension/jwt/fuzzer/JWTFuzzAttackPopupMenuItem.java
Outdated
Show resolved
Hide resolved
src/main/java/org/zaproxy/zap/extension/jwt/JWTConfiguration.java
Outdated
Show resolved
Hide resolved
src/main/java/org/zaproxy/zap/extension/jwt/JWTConfiguration.java
Outdated
Show resolved
Hide resolved
src/main/java/org/zaproxy/zap/extension/jwt/fuzzer/ExtensionJWTFuzzer.java
Outdated
Show resolved
Hide resolved
src/main/java/org/zaproxy/zap/extension/jwt/fuzzer/JWTFuzzAttackPopupMenuItem.java
Outdated
Show resolved
Hide resolved
src/main/java/org/zaproxy/zap/extension/jwt/fuzzer/JWTFuzzAttackPopupMenuItem.java
Outdated
Show resolved
Hide resolved
src/main/java/org/zaproxy/zap/extension/jwt/fuzzer/JWTFuzzerHandler.java
Outdated
Show resolved
Hide resolved
src/main/java/org/zaproxy/zap/extension/jwt/fuzzer/JWTFuzzerHandler.java
Outdated
Show resolved
Hide resolved
src/main/java/org/zaproxy/zap/extension/jwt/fuzzer/JWTFuzzerHandler.java
Outdated
Show resolved
Hide resolved
Added PR to reduce JWTFuzzerHandler code that is copied from HttpFuzzer. |
...n/java/org/zaproxy/zap/extension/jwt/fuzzer/messagelocations/JWTMessageLocationReplacer.java
Outdated
Show resolved
Hide resolved
src/main/java/org/zaproxy/zap/extension/jwt/fuzzer/JWTFuzzAttackPopupMenuItem.java
Outdated
Show resolved
Hide resolved
Hi @kingthorin and @thc202 , Following is the view of fuzzer: thanks, |
Hi @kingthorin and @thc202 , As i have already mentioned that Http view now contains the JWT view and it looks like this: I am not sure if it is ok or we want to remove it and how can we remove it. thanks, |
i think they are outdated. However i will look at them once again for confirmation. |
Yes i checked and they are outdated. One was regarding testing RSA, I have checked again and it is working fine. |
public void initView(ViewDelegate view) { | ||
super.initView(view); | ||
|
||
HttpPanelManager panelManager = HttpPanelManager.getInstance(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The Fuzzer add-on now allows to add views to just the the Fuzzer dialogue, through ExtensionFuzz#getClientMessagePanelManager
and #getServerMessagePanelManager()
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@thc202, I am not sure which one to use also i tried using clientMessagePanelManager and i am getting null pointer. I am not sure why. I am thinking that clientMessagePanelManager gets initialized in initview and hence may be that is causing issue.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be the "client" which in HTTP maps to "request". That's right, that would have to be done later in the hook method (if there's view), by then the view of the fuzz extension is already initialised.
try { | ||
extensionHook.addOptionsParamSet(getJWTConfiguration()); | ||
extensionHook.getHookView().addOptionPanel(new JWTOptionsPanel()); | ||
ExtensionFuzz extensionFuzz = | ||
Control.getSingleton().getExtensionLoader().getExtension(ExtensionFuzz.class); | ||
extensionFuzz.addFuzzerHandler(httpFuzzerHandler); | ||
LOGGER.debug("JWT Extension loaded successfully"); | ||
} catch (Exception e) { | ||
LOGGER.error("JWT Extension can't be loaded. Configuration not found or invalid", e); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should not be needed? (Core already catches exceptions that happen when hooking the extensions.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure.
@Override | ||
public void unload() { | ||
super.unload(); | ||
HttpPanelManager panelManager = HttpPanelManager.getInstance(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For correctness the views need to be removed as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the views created by the factory ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes.
jwtComponentJsonKeysComboBox.setSelectedIndex(0); | ||
jwtComponentType.addActionListener(getJWTComponentTypeActionListener(jwtHolder)); | ||
} catch (Exception e) { | ||
LOGGER.error("Error Occurred: ", e); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be better if the errors were more descriptive, the users will reporting issues with this message. I'd also suggest using a lower level (e.g. warn) if this is expected to happen. Error level should be used just for potential bugs/issues in the code.
Some comments to -addOnName.set("JWT Extension")
+addOnName.set("JWT Support") // Or something like that, add-ons are more than just extensions (e.g. this provides scan rules as well).
-implementation("org.zaproxy.addon:fuzz:13.0.0")
+compileOnly("org.zaproxy.addon:fuzz:13.0.0") // Might need testImplementation if you plan to add tests. The register("fuzz") {
version.set("13.*")
} |
JWTI18n.init(); | ||
jwtMessageLocationReplacerFactory = new JWTMessageLocationReplacerFactory(); | ||
MessageLocationReplacers.getInstance() | ||
.addReplacer(HttpMessage.class, jwtMessageLocationReplacerFactory); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Needs to be removed on #unload()
.
try { | ||
extensionHook.addOptionsParamSet(getJWTConfiguration()); | ||
extensionHook.getHookView().addOptionPanel(new JWTOptionsPanel()); | ||
ExtensionFuzz extensionFuzz = | ||
Control.getSingleton().getExtensionLoader().getExtension(ExtensionFuzz.class); | ||
extensionFuzz.addFuzzerHandler(httpFuzzerHandler); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here.
The changelog could be updated to mention the new functionality. |
Another comment for |
what does register doing here ? i didn't got the use ? can you please explain. |
Sorry, that was not clear, that's for the |
The add-on is not filling the "changes" entry of the manifest, since the add-on has a changelog you can add: changesFile.set(tasks.named<ConvertMarkdownToHtml>("generateManifestChanges").flatMap { it.html }) to the |
@thc202 while installing and working on new fuzz version i am facing null pointers while saving options panel: |
The work around is referenced here: zaproxy/zaproxy#6136 |
Hi @thc202 , I have incorporated changes suggested. Please review. thanks, |
CHANGELOG.md
Outdated
@@ -4,6 +4,7 @@ All notable changes to this add-on will be documented in this file. | |||
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). | |||
|
|||
## Unreleased | |||
|
|||
- First version of JWT Extension. | |||
- Second version of JWT Support. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a bit misleading, there's no first version (released) yet. Maybe call it iteration? Or just add all under first version?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
.getExtensionLoader() | ||
.getExtension(ExtensionFuzz.class) | ||
.getClientMessagePanelManager(); | ||
panelManager.addViewFactory(RequestAllComponent.NAME, new JWTFuzzPanelViewFactory(null)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These (and the options panel) should be added only if there's view (there's a hasView()
method), to avoid creating unnecessary view components in daemon and command line modes. Same check would apply in unload
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done.
@thc202 done with the changes. |
Hi @thc202 @kingthorin , please review zaproxy/zaproxy-website#101 also. thanks, |
Looks good, thank you (especially for the patience)! |
Merging it now. Thanks @thc202 and @kingthorin |
@thc202 @kingthorin what next needs to be done for releasing this Project. |
I think the following steps:
-## Unreleased
+## [1.0.0] - 2020-08-03
- First version of JWT Support.
- Contains scanning rules for basic JWT related vulnerabilities.
- Contains JWT Fuzzer for fuzzing the JWT's present in the request.
+
+[1.0.0]: https://github.com/SasanLabs/owasp-zap-jwt-addon/releases/tag/v1.0.0
Once that's done we can release to the marketplace. |
i have added the release https://github.com/SasanLabs/owasp-zap-jwt-addon/releases/tag/v1.0.0 thanks, |
It doesn't seem to have the actual add-on (*.zap) attached? |
Sorry for the typo in the date. |
Added the ".zap" file too. |
The |
This is the part 2 of the JWT Addon where Fuzzer Capabilities are added for Fuzzing JWT token.