JWT Token Bypass

app/lab/broken-authentication/jwt-token-bypass/DBconnect.php

@@ -0,0 +1,3 @@
+<?php
+$db = new PDO('sqlite:database.db');
+?>

app/lab/broken-authentication/jwt-token-bypass/auth_control.php

@@ -0,0 +1,18 @@
+<?php
+require_once('config.php');
+$jwt = (new JWT);
+
+if (isset($_COOKIE['auth_type'])){
+    //echo $_COOKIE['auth_type'];
+    if ($validate = $jwt->is_valid($_COOKIE['auth_type'])){
+        $jwt_username =  $jwt->get_username($_COOKIE['auth_type']);
+        $jwt_userid =  $jwt->get_userid($_COOKIE['auth_type']);
+    }else{
+        header("Location: login.php");
+        exit;
+    }
+}else{
+    header("Location: login.php");
+    exit;
+}
+?>

app/lab/broken-authentication/jwt-token-bypass/composer.json

@@ -0,0 +1,5 @@
+{
+    "require": {
+        "firebase/php-jwt": "^6.3"
+    }
+}

app/lab/broken-authentication/jwt-token-bypass/config.php

@@ -0,0 +1,123 @@
+<?php
+class JWT
+{
+    /**
+     * Headers for JWT.
+     *
+     * @var array
+     */
+    private $headers;
+
+    /**
+     * Secret for JWT.
+     *
+     * @var string
+     */
+    private $secret;
+
+    public function __construct()
+    {
+        $this->headers = [
+            'alg' => 'HS256', // we are using a SHA256 algorithm
+            'typ' => 'JWT', // JWT type
+            'iss' => 'test.jwt', // token issuer
+            'aud' => 'test.jwt' // token audience
+        ];
+        $this->secret = '1234';
+    }
+
+    /**
+     * Generate JWT using a payload.
+     *
+     * @param array $payload
+     * @return string
+     */
+    public function generate(array $payload): string
+    {
+        $headers = $this->encode(json_encode($this->headers)); // encode headers
+        $payload["exp"] = time() + 3600; // add expiration to payload
+        $payload = $this->encode(json_encode($payload)); // encode payload
+        $signature = hash_hmac('SHA256', "$headers.$payload", $this->secret, true); // create SHA256 signature
+        $signature = $this->encode($signature); // encode signature
+
+        return "$headers.$payload.$signature";
+    }
+
+    /**
+     * Encode JWT using base64.
+     *
+     * @param string $str
+     * @return string
+     */
+    private function encode(string $str): string
+    {
+        return rtrim(strtr(base64_encode($str), '+/', '-_'), '='); // base64 encode string
+    }
+
+    /**
+     * Check if JWT is valid, return true | false.
+     *
+     * @param string $jwt
+     * @return boolean
+     */
+    public function is_valid(string $jwt): bool
+    {
+        $token = explode('.', $jwt); // explode token based on JWT breaks
+        if (!isset($token[1]) && !isset($token[2])) {
+            return false; // fails if the header and payload is not set
+        }
+        $headers = base64_decode($token[0]); // decode header, create variable
+        $payload = base64_decode($token[1]); // decode payload, create variable
+        $clientSignature = $token[2]; // create variable for signature
+
+        if (!json_decode($payload)) {
+            return false; // fails if payload does not decode
+        }
+
+        if ((json_decode($payload)->exp - time()) < 0) {
+            return false; // fails if expiration is greater than 0, setup for 1 minute
+        }
+
+        if (isset(json_decode($payload)->iss)) {
+            if (json_decode($headers)->iss != json_decode($payload)->iss) {
+                return false; // fails if issuers are not the same
+            }
+        } else {
+            return false; // fails if issuer is not set 
+        }
+
+        if (isset(json_decode($payload)->aud)) {
+            if (json_decode($headers)->aud != json_decode($payload)->aud) {
+                return false; // fails if audiences are not the same
+            }
+        } else {
+            return false; // fails if audience is not set
+        }
+
+        $base64_header = $this->encode($headers);
+        $base64_payload = $this->encode($payload);
+
+        $signature = hash_hmac('SHA256', $base64_header . "." . $base64_payload, $this->secret, true);
+        $base64_signature = $this->encode($signature);
+
+        return ($base64_signature === $clientSignature);
+    }
+    public function get_username(string $jwt): string{
+        $token = explode('.', $jwt);
+        if (!isset($token[1]) && !isset($token[2])) {
+            return false;
+        }
+        $payload = json_decode(base64_decode($token[1]));
+        return $payload->username;
+
+    }
+    public function get_userid(string $jwt): string{
+        $token = explode('.', $jwt);
+        if (!isset($token[1]) && !isset($token[2])) {
+            return false;
+        }
+        $payload = json_decode(base64_decode($token[1]));
+        return $payload->id;
+
+    }
+}

app/lab/broken-authentication/jwt-token-bypass/en.ini

@@ -0,0 +1,9 @@
+title="JWT Token Bypass"
+username="Username:"
+password="Password:"
+submit="Submit"
+wrong="Wrong Password...!"
+login="Login Panel"
+look="You are logged in as"
+hint="Username:normal Pass:1234"
+error="Invalid JWT Token."

app/lab/broken-authentication/jwt-token-bypass/fr.ini

@@ -0,0 +1,9 @@
+title="Contournement du Jeton JWT"
+username = "Nom D'utilisateur:"
+password = "Mot de Passe:"
+submit="Envoyer"
+wrong="Mauvais mot de passe...!"
+login="Panneau de connexion"
+look="vous êtes connecté"
+hint="Nom D'utilisateur:normal Mot de Passe:1234"
+error="Jeton JWT non valide."

app/lab/broken-authentication/jwt-token-bypass/index.php

@@ -0,0 +1,65 @@
+<?php
+require("../../../lang/lang.php");
+$strings = tr();
+require_once("DBconnect.php"); 
+require_once('config.php'); 
+$jwt = (new JWT); 
+$q = array(); 
+$error = null;
+if (isset($_COOKIE['auth_type'])) { 
+    if ($validate = $jwt->is_valid($_COOKIE['auth_type'])) { 
+        $jwt->get_username($_COOKIE['auth_type']);
+    } else{
+        $error=TRUE;
+    }
+} else { 
+    header("Location: login.php"); 
+    exit; 
+}
+
+
+?>
+
+<!doctype html>
+<html lang="en">
+
+<head>
+    <!-- Required meta tags -->
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+
+    <!-- Bootstrap CSS -->
+    <link rel="stylesheet" type="text/css" href="./css/bootstrap.min.css">
+
+    <title><?= $strings["title"]; ?></title>
+</head>
+
+<body>
+    <div class="container d-flex justify-content-center">
+        <div class="shadow p-3 mb-5 rounded column" style="text-align: center; max-width: 1000px;margin-top:15vh;">
+            <h3><?= $strings["login"]; ?></h3>
+
+            <form action="#" method="POST" class="justify-content-center" style="text-align: center;margin-top: 20px;padding:30px;">
+                <div class="justify-content-center row mb-3">
+                        <?php 
+                        if(is_null($error)){
+                            echo $jwt->get_username($_COOKIE['auth_type']);
+
+                        ?>
+                    <div class="col-sm-10">
+                    <label for="inputUsername3" class=" text-center col-form-label"><?= $strings["look"]?></label>
+                    </div>
+                        <?php
+                            } else{
+                                echo $strings["error"];
+                            }
+                        ?>
+                </div>
+        </div>
+    </div>
+    <script id="VLBar" title="<?= $strings["title"]; ?>" category-id="10" src="/public/assets/js/vlnav.min.js"></script>
+
+
+</body>
+
+</html>