add jwt

Author: JoyChou93

README.md

@@ -57,7 +57,7 @@ Sort by letter.
 - [XSS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XSS.java)
 - [XStream](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XStreamRce.java)
 - [XXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XXE.java)
-
+- [JWT](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Jwt.java)
 
 
 ## Vulnerability Description
@@ -75,6 +75,7 @@ Sort by letter.
 - [SSTI](https://github.com/JoyChou93/java-sec-code/wiki/SSTI)
 - [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/wiki/URL-whtielist-Bypass)
 - [XXE](https://github.com/JoyChou93/java-sec-code/wiki/XXE)
+- [JWT](https://github.com/JoyChou93/java-sec-code/wiki/JWT)
 - [Others](https://github.com/JoyChou93/java-sec-code/wiki/others)
 
 ## How to run

README_zh.md

@@ -51,7 +51,7 @@ joychou/joychou123
 - [XSS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XSS.java)
 - [XStream](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XStreamRce.java)
 - [XXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XXE.java)
-
+- [JWT](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Jwt.java)
 
 ## 漏洞说明
 
@@ -68,6 +68,7 @@ joychou/joychou123
 - [SSTI](https://github.com/JoyChou93/java-sec-code/wiki/SSTI)
 - [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/wiki/URL-whtielist-Bypass)
 - [XXE](https://github.com/JoyChou93/java-sec-code/wiki/XXE)
+- [JWT](https://github.com/JoyChou93/java-sec-code/wiki/JWT)  
 - [Others](https://github.com/JoyChou93/java-sec-code/wiki/others)
 
 

java-sec-code.iml

@@ -86,7 +86,6 @@
     <orderEntry type="library" name="Maven: org.apache.commons:commons-digester3:3.2" level="project" />
     <orderEntry type="library" name="Maven: cglib:cglib:2.2.2" level="project" />
     <orderEntry type="library" name="Maven: asm:asm:3.3.1" level="project" />
-    <orderEntry type="library" name="Maven: commons-beanutils:commons-beanutils:1.9.3" level="project" />
     <orderEntry type="library" name="Maven: org.jolokia:jolokia-core:1.6.0" level="project" />
     <orderEntry type="library" name="Maven: com.googlecode.json-simple:json-simple:1.1.1" level="project" />
     <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-actuator:1.5.1.RELEASE" level="project" />
@@ -219,5 +218,8 @@
     <orderEntry type="library" name="Maven: org.springframework:spring-test:4.3.6.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: junit:junit:4.12" level="project" />
     <orderEntry type="library" name="Maven: org.hamcrest:hamcrest-core:1.3" level="project" />
+    <orderEntry type="library" name="Maven: commons-beanutils:commons-beanutils:1.9.4" level="project" />
+    <orderEntry type="library" name="Maven: io.jsonwebtoken:jjwt:0.9.1" level="project" />
+    <orderEntry type="library" name="Maven: com.auth0:java-jwt:4.0.0" level="project" />
   </component>
 </module>

pom.xml

@@ -279,6 +279,27 @@
             <artifactId>junit</artifactId>
         </dependency>
 
+        <!-- add commons-beanutils gadget -->
+        <dependency>
+            <groupId>commons-beanutils</groupId>
+            <artifactId>commons-beanutils</artifactId>
+            <version>1.9.4</version>
+        </dependency>
+
+        <!-- https://mvnrepository.com/artifact/io.jsonwebtoken/jjwt -->
+        <dependency>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt</artifactId>
+            <version>0.9.1</version>
+        </dependency>
+
+        <!-- https://github.com/auth0/java-jwt https://mvnrepository.com/artifact/com.auth0/java-jwt -->
+        <dependency>
+            <groupId>com.auth0</groupId>
+            <artifactId>java-jwt</artifactId>
+            <version>4.0.0</version>
+        </dependency>
+
     </dependencies>
 
     <dependencyManagement>

src/main/java/org/joychou/Application.java

@@ -8,7 +8,6 @@
 import org.springframework.cloud.netflix.eureka.EnableEurekaClient;
 
 
-
 @ServletComponentScan // do filter
 @SpringBootApplication
 // @EnableEurekaClient  // 测试Eureka请打开注释，防止控制台一直有warning

src/main/java/org/joychou/controller/Deserialize.java

@@ -57,6 +57,9 @@ public String rememberMeVul(HttpServletRequest request)
 
     /**
      * Check deserialize class using black list.
+     * Or
+     * Update commons-collections to 3.2.2 or above.
+     * Serialization support for org.apache.commons.collections.functors.InvokerTransformer is disabled for security reasons.To enable it set system property 'org.apache.commons.collections.enableUnsafeSerialization' to 'true',but you must ensure that your application does not de-serialize objects from untrusted sources.
      * <p>
      * http://localhost:8080/deserialize/rememberMe/security
      */

src/main/java/org/joychou/controller/Jwt.java

@@ -0,0 +1,62 @@
+package org.joychou.controller;
+
+import lombok.extern.slf4j.Slf4j;
+import org.joychou.util.CookieUtils;
+import org.joychou.util.JwtUtils;
+import org.springframework.web.bind.annotation.CookieValue;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+
+/**
+ *
+ */
+@Slf4j
+@RestController
+@RequestMapping("/jwt")
+public class Jwt {
+
+    private static final String COOKIE_NAME = "USER_COOKIE";
+    /**
+     * http://localhost:8080/jwt/createToken
+     * Create jwt token and set token to cookies.
+     *
+     * @author JoyChou 2022-09-20
+     */
+    @GetMapping("/createToken")
+    public String createToken(HttpServletResponse response, HttpServletRequest request) {
+        String loginUser = request.getUserPrincipal().getName();
+        log.info("Current login user is " + loginUser);
+
+        CookieUtils.deleteCookie(response, COOKIE_NAME);
+        String token = JwtUtils.generateTokenByJavaJwt(loginUser);
+        Cookie cookie = new Cookie(COOKIE_NAME, token);
+
+        cookie.setMaxAge(86400);    // 1 DAY
+        cookie.setPath("/");
+        cookie.setSecure(true);
+        response.addCookie(cookie);
+        return "Add jwt token cookie successfully. Cookie name is USER_COOKIE";
+    }
+
+
+    /**
+     * http://localhost:8080/jwt/getName
+     * Get nickname from USER_COOKIE
+     *
+     * @author JoyChou 2022-09-20
+     * @param user_cookie cookie
+     * @return nickname
+     */
+    @GetMapping("/getName")
+    public String getNickname(@CookieValue(COOKIE_NAME) String user_cookie) {
+        String nickname = JwtUtils.getNicknameByJavaJwt(user_cookie);
+        return "Current jwt user is " + nickname;
+    }
+
+}

src/main/java/org/joychou/controller/SQLI.java

@@ -130,6 +130,50 @@ public String jdbc_sqli_sec(@RequestParam("username") String username) {
         return result.toString();
     }
 
+
+    /**
+     * http://localhost:8080/sqli/jdbc/ps/vuln?username=joychou' or 'a'='a
+     *
+     * Incorrect use of prepareStatement. prepareStatement must use ? as a placeholder.
+     */
+    @RequestMapping("/jdbc/ps/vuln")
+    public String jdbc_ps_vuln(@RequestParam("username") String username) {
+
+        StringBuilder result = new StringBuilder();
+        try {
+            Class.forName(driver);
+            Connection con = DriverManager.getConnection(url, user, password);
+
+            if (!con.isClosed())
+                System.out.println("Connecting to Database successfully.");
+
+            String sql = "select * from users where username = '" + username + "'";
+            PreparedStatement st = con.prepareStatement(sql);
+
+            logger.info(st.toString());
+            ResultSet rs = st.executeQuery();
+
+            while (rs.next()) {
+                String res_name = rs.getString("username");
+                String res_pwd = rs.getString("password");
+                String info = String.format("%s: %s\n", res_name, res_pwd);
+                result.append(info);
+                logger.info(info);
+            }
+
+            rs.close();
+            con.close();
+
+        } catch (ClassNotFoundException e) {
+            logger.error("Sorry, can`t find the Driver!");
+            e.printStackTrace();
+        } catch (SQLException e) {
+            logger.error(e.toString());
+        }
+        return result.toString();
+    }
+
+
     /**
      * vuln code
      * http://localhost:8080/sqli/mybatis/vuln01?username=joychou' or '1'='1

src/main/java/org/joychou/controller/SSRF.java

@@ -76,6 +76,11 @@ public String httpURLConnection(@RequestParam String url) {
     }
 
 
+    @GetMapping("/HttpURLConnection/vuln")
+    public String httpURLConnectionVuln(@RequestParam String url) {
+        return HttpUtils.HttpURLConnection(url);
+    }
+
     /**
      * The default setting of followRedirects is true.
      * UserAgent is <code>Apache-HttpClient/4.5.12 (Java/1.8.0_102)</code>.

src/main/java/org/joychou/util/CookieUtils.java

@@ -0,0 +1,24 @@
+package org.joychou.util;
+
+import lombok.extern.slf4j.Slf4j;
+
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletResponse;
+
+
+@Slf4j
+public class CookieUtils {
+
+    public static boolean deleteCookie(HttpServletResponse res, String cookieName) {
+        try {
+            Cookie cookie = new Cookie(cookieName, null);
+            cookie.setMaxAge(0);
+            cookie.setPath("/");
+            res.addCookie(cookie);
+            return true;
+        } catch (Exception e) {
+            log.error(e.toString());
+            return false;
+        }
+    }
+}