Broken Authentication - Demo

Author: AndriiPiatakha

online-store.web/pom.xml

@@ -1,81 +1,105 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
 
-	<parent>
-		<groupId>com.itbulls.learnit</groupId>
-		<artifactId>online-store</artifactId>
-		<version>${project.version}</version>
-	</parent>
-	<modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>com.itbulls.learnit</groupId>
+        <artifactId>online-store</artifactId>
+        <version>${project.version}</version>
+    </parent>
+    <modelVersion>4.0.0</modelVersion>
 
-	<groupId>com.itbulls.learnit</groupId>
-	<artifactId>online-store.web</artifactId>
-	<version>${project.version}</version>
-	<packaging>war</packaging>
+    <groupId>com.itbulls.learnit</groupId>
+    <artifactId>online-store.web</artifactId>
+    <version>${project.version}</version>
+    <packaging>war</packaging>
 
 
-	<dependencies>
-		<dependency>
-			<groupId>jakarta.servlet</groupId>
-			<artifactId>jakarta.servlet-api</artifactId>
-			<version>5.0.0</version>
-			<scope>provided</scope>
-		</dependency>
+    <dependencies>
+        <dependency>
+            <groupId>jakarta.servlet</groupId>
+            <artifactId>jakarta.servlet-api</artifactId>
+            <version>5.0.0</version>
+            <scope>provided</scope>
+        </dependency>
 
-		<dependency>
-			<groupId>org.glassfish.web</groupId>
-			<artifactId>jakarta.servlet.jsp.jstl</artifactId>
-			<version>2.0.0</version>
-		</dependency>
+        <dependency>
+            <groupId>org.glassfish.web</groupId>
+            <artifactId>jakarta.servlet.jsp.jstl</artifactId>
+            <version>2.0.0</version>
+        </dependency>
 
-		<dependency>
-			<groupId>com.learnit.itbulls</groupId>
-			<artifactId>online-store.core</artifactId>
-			<version>${project.version}</version>
-		</dependency>
+        <dependency>
+            <groupId>com.learnit.itbulls</groupId>
+            <artifactId>online-store.core</artifactId>
+            <version>${project.version}</version>
+        </dependency>
 
-		<dependency>
-			<groupId>org.apache.tomcat</groupId>
-			<artifactId>tomcat-jsp-api</artifactId>
-			<version>10.0.0-M10</version>
-			<scope>provided</scope>
-		</dependency>
+        <dependency>
+            <groupId>org.apache.tomcat</groupId>
+            <artifactId>tomcat-jsp-api</artifactId>
+            <version>10.0.0-M10</version>
+            <scope>provided</scope>
+        </dependency>
 
-		<dependency>
-			<groupId>jakarta.annotation</groupId>
-			<artifactId>jakarta.annotation-api</artifactId>
-			<version>2.1.0</version>
-		</dependency>
+        <dependency>
+            <groupId>jakarta.annotation</groupId>
+            <artifactId>jakarta.annotation-api</artifactId>
+            <version>2.1.0</version>
+        </dependency>
 
+        <dependency>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt-api</artifactId>
+            <version>0.12.6</version>
+        </dependency>
+        <dependency>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt-impl</artifactId>
+            <version>0.12.6</version>
+        </dependency>
+        <dependency>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt-jackson</artifactId>
+            <version>0.12.6</version>
+        </dependency>
 
-	</dependencies>
+        <dependency>
+            <groupId>com.google.code.gson</groupId>
+            <artifactId>gson</artifactId>
+            <version>2.11.0</version>
+        </dependency>
 
-	<build>
-		<resources>
-			<resource>
-				<directory>src/main/webapp</directory>
-				<excludes>
-					<exclude>**/*.java</exclude>
-				</excludes>
-			</resource>
-			<resource>
-				<directory>src/main/resources</directory>
-				<excludes>
-					<exclude>**/*.java</exclude>
-				</excludes>
-			</resource>
-		</resources>
-		<plugins>
-			<plugin>
-				<artifactId>maven-compiler-plugin</artifactId>
-				<version>3.8.1</version>
-				<configuration>
-					<release>15</release>
-				</configuration>
-			</plugin>
-			<plugin>
-				<artifactId>maven-war-plugin</artifactId>
-				<version>3.2.3</version>
-			</plugin>
-		</plugins>
-	</build>
+
+    </dependencies>
+
+    <build>
+        <resources>
+            <resource>
+                <directory>src/main/webapp</directory>
+                <excludes>
+                    <exclude>**/*.java</exclude>
+                </excludes>
+            </resource>
+            <resource>
+                <directory>src/main/resources</directory>
+                <excludes>
+                    <exclude>**/*.java</exclude>
+                </excludes>
+            </resource>
+        </resources>
+        <plugins>
+            <plugin>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <version>3.8.1</version>
+                <configuration>
+                    <release>15</release>
+                </configuration>
+            </plugin>
+            <plugin>
+                <artifactId>maven-war-plugin</artifactId>
+                <version>3.2.3</version>
+            </plugin>
+        </plugins>
+    </build>
 </project>

online-store.web/src/main/java/com/itbulls/learnit/onlinestore/web/owasp/ba/problem/InsecureAuthenticationServlet.java

@@ -0,0 +1,41 @@
+package com.itbulls.learnit.onlinestore.web.owasp.ba.problem;
+
+import java.io.IOException;
+
+import com.itbulls.learnit.onlinestore.core.facades.UserFacade;
+import com.itbulls.learnit.onlinestore.core.facades.impl.DefaultUserFacade;
+import com.itbulls.learnit.onlinestore.persistence.enteties.User;
+
+import jakarta.servlet.ServletException;
+import jakarta.servlet.annotation.WebServlet;
+import jakarta.servlet.http.HttpServlet;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+@WebServlet("/insecure-auth-servlet")
+public class InsecureAuthenticationServlet extends HttpServlet {
+
+	private UserFacade userFacade = DefaultUserFacade.getInstance();
+	
+    @Override
+    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+        String email = req.getParameter("email");
+        String password = req.getParameter("password");
+        
+		User user = userFacade.getUserByEmail(email);
+
+        if (user != null && user.getPassword().equals(password)) {
+            String token = generateWeakToken(email);
+            resp.setContentType("application/json");
+            resp.getWriter().write("{\"token\": \"" + token + "\"}");
+            resp.setStatus(HttpServletResponse.SC_OK);
+        } else {
+            resp.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+        }
+    }
+
+    private String generateWeakToken(String email) {
+        // Weak token generation using email only, no expiration policy, easy to guess
+        return "token_" + email;
+    }
+}

online-store.web/src/main/java/com/itbulls/learnit/onlinestore/web/owasp/ba/problem/InsecureGetUserDataServlet.java

@@ -0,0 +1,50 @@
+package com.itbulls.learnit.onlinestore.web.owasp.ba.problem;
+
+import java.io.IOException;
+
+import com.google.gson.Gson;
+import com.itbulls.learnit.onlinestore.core.facades.UserFacade;
+import com.itbulls.learnit.onlinestore.core.facades.impl.DefaultUserFacade;
+import com.itbulls.learnit.onlinestore.persistence.enteties.User;
+
+import jakarta.servlet.ServletException;
+import jakarta.servlet.annotation.WebServlet;
+import jakarta.servlet.http.HttpServlet;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+@WebServlet("/insecure-get-user-data")
+public class InsecureGetUserDataServlet extends HttpServlet {
+
+	private UserFacade userFacade = DefaultUserFacade.getInstance();
+	private final Gson gson = new Gson();
+	
+    @Override
+    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+        String authHeader = req.getHeader("Authorization");
+
+        if (authHeader != null && authHeader.startsWith("Bearer ")) {
+            String token = authHeader.substring(7);
+            String email = validateWeakToken(token);
+            if (email != null) {
+                User userData = userFacade.getUserByEmail(email);
+                resp.setContentType("application/json");
+                resp.getWriter().write("{\"data\": \"" + gson.toJson(userData) + "\"}");
+                resp.setStatus(HttpServletResponse.SC_OK);
+            } else {
+                resp.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+            }
+        } else {
+            resp.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+        }
+    }
+
+    private String validateWeakToken(String token) {
+        // Improper token validation, just extracts the email without verifying integrity
+        if (token.startsWith("token_")) {
+            return token.substring(6);
+        }
+        return null;
+    }
+
+}

online-store.web/src/main/java/com/itbulls/learnit/onlinestore/web/owasp/ba/solution/GetUserDataServlet.java

@@ -0,0 +1,46 @@
+package com.itbulls.learnit.onlinestore.web.owasp.ba.solution;
+
+import jakarta.servlet.ServletException;
+import jakarta.servlet.annotation.WebServlet;
+import jakarta.servlet.http.HttpServlet;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+import com.itbulls.learnit.onlinestore.core.facades.impl.DefaultUserFacade;
+import com.itbulls.learnit.onlinestore.core.facades.UserFacade;
+import com.itbulls.learnit.onlinestore.persistence.enteties.User;
+import com.google.gson.Gson;
+
+@WebServlet("/protected-endpoint-get-user-data")
+public class GetUserDataServlet extends HttpServlet {
+
+	private UserFacade userFacade = DefaultUserFacade.getInstance();
+	private final Gson gson = new Gson();
+	
+	@Override
+	protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+		String authHeader = req.getHeader("Authorization");
+
+		if (authHeader != null && authHeader.startsWith("Bearer ")) {
+			String token = authHeader.substring(7);
+			if (JwtUtils.isTokenValid(token)) {
+				try {
+					String userEmail = JwtUtils.parseToken(token).getPayload().getSubject();
+					System.out.println("User Email: " + userEmail);
+					User userData = userFacade.getUserByEmail(userEmail);
+					resp.setContentType("application/json");
+					resp.getWriter().write("{\"data\": \"" + gson.toJson(userData) + "\"}");
+					resp.setStatus(HttpServletResponse.SC_OK);
+				} catch (Exception e) {
+					e.printStackTrace();
+				}
+
+			} else {
+				resp.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+			}
+		} else {
+			resp.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+		}
+	}
+}

online-store.web/src/main/java/com/itbulls/learnit/onlinestore/web/owasp/ba/solution/JwtUtils.java

@@ -0,0 +1,62 @@
+package com.itbulls.learnit.onlinestore.web.owasp.ba.solution;
+
+import java.util.Base64;
+import java.util.Date;
+
+import javax.crypto.SecretKey;
+
+import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.Jws;
+import io.jsonwebtoken.JwtParser;
+import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.security.Keys;
+
+public class JwtUtils {
+
+	// TODO - NEVER STORE SECRET KEYS IN THE SOURCE CODE! Use Secrets Key Vaults
+	// The secret key as a Base64-encoded string representation
+	private static final String SECRET_KEY_STRING = "b2g82k9ZmBrfY8fd/72Q6nMsdzH8fWgYyPw7TtD5FzI="; // Replace with your actual secure secret key
+
+	// TODO - NEVER STORE SECRET KEYS IN THE SOURCE CODE! Use Secrets Key Vaults
+	// Create a SecretKey instance for signing and verification
+	private static final SecretKey SECRET_KEY = Keys.hmacShaKeyFor(Base64.getDecoder().decode(SECRET_KEY_STRING));
+
+	/**
+	 * Generates a JWT token for the given user email.
+	 *
+	 * @param user email the email to include in the token.
+	 * @return the generated JWT token as a string.
+	 */
+	public static String generateToken(String userEmail) {
+
+		return Jwts.builder().subject(userEmail).issuedAt(new Date())
+				.expiration(new Date(System.currentTimeMillis() + 864_000_000)) // 10 days
+				.signWith(SECRET_KEY) // Sign the token with the SecretKeySpec
+				.compact();
+	}
+
+
+	/**
+	 * Validates the JWT token.
+	 *
+	 * @param token the JWT token to validate.
+	 * @return true if the token is valid, false otherwise.
+	 */
+	public static boolean isTokenValid(String token) {
+		JwtParser jwtParser = Jwts.parser().verifyWith(SECRET_KEY).build();
+		try {
+			jwtParser.parse(token);
+			return true;
+		} catch (Exception e) {
+			System.err.println("Could not verify JWT token integrity! Exception: " + e.getMessage());
+			return false;
+		}
+		
+	}
+
+
+	public static Jws<Claims> parseToken(String token) {
+		JwtParser jwtParser = Jwts.parser().verifyWith(SECRET_KEY).build();
+		return jwtParser.parseSignedClaims(token);
+	}
+}