search

github / securitylab

Resources related to GitHub Security Lab
https://securitylab.github.com
MIT License
1.41k stars 245 forks source link

Golang : Hardcoded secret used for signing JWT #557

Closed porcupineyhairs closed 2 years ago

porcupineyhairs commented 2 years ago

Query PR

https://github.com/github/codeql-go/pull/705

Language

GoLang

CVE(s) ID list

There are multiple detections with this query. I haven't alerted the maintainers yet but will do so soon. In the mean time, to meet the eligibility requirements, you may see CVE-2022-0664 found in gravitl/netmaker. A LGTM run of my query against a vulnerable version of this project can be found here.

CWE

CWE-321

Report

JWT tokens are used for authenticating and managing users throughout the application.

Since, the secret which is used to sign these tokens is unique, it is assumed in most cases that the token can't be forged. However, when a project exposes this secret publicly, these supposedly un-forgable tokens can now be easily faked. Since the authentication as well as access control is typically determined by the validity of the JWT token, an attacker can create a valid authentication token for any user and even gain access to other privileged parts of the application.

In this query, I, using global taint flow, detect all instances where a StringLiteral is used for signing the token.

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

Blog post link

No response

pwntester commented 2 years ago

Hi @porcupineyhairs Thanks for the submission. While assessing the impact and the scope of the query, I had to assign a minimal scope rating. Would you like to submit it as is or extend the query to support other related JWT vulnerabilities and libraries. For reference, you can check what its supported in other languages

porcupineyhairs commented 2 years ago

@pwntester I am not sure I follow. I have more than 20+ detections across multiple projects. Most of them are high impact bugs as leakage of the JWT signing secret almost always lead to an auth bypass. I can confirm these are all detected by my PR in its current form. I mentioned only one of them as it was the only publicly disclosed CVE I could find.

As for extending the scope, I can see one opportunity in adding another popular JWT framework with this PR apart from this, do you have anything specific in mind?

pwntester commented 2 years ago

As for extending the scope, I can see one opportunity in adding another popular JWT framework with this PR apart from this, do you have anything specific in mind?

Not any one in particular.

porcupineyhairs commented 2 years ago

@pwntester I have added approximately 6 more frameworks and there forks to further expand the scope of my PR. I have also added a bunch of new sanitizers and attempted to filtered out code which may be used for testing purposes.

ghsecuritylab commented 2 years ago

Your submission is now in status Test run.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

ghsecuritylab commented 2 years ago

Your submission is now in status Results analysis.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

ghsecuritylab commented 2 years ago

Your submission is now in status Query review.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

porcupineyhairs commented 2 years ago

I have created a new PR github/codeql#9378 since the codeql-go repo has now been merged with the codeql repo

ghsecuritylab commented 2 years ago

Your submission is now in status Final decision.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

porcupineyhairs commented 2 years ago

@pwntester A small note before the final decision is made. The query has been improved quite a bit since the last time you evaluated it. Over the last 3-4 days, I have added multiple sanitizers to reduce the number of FP's. Please don't forget to include their impact in the evaluation.

xcorail commented 2 years ago

Created Hackerone report 1595009 for bounty 396900 : [557] Golang : Hardcoded secret used for signing JWT

ghsecuritylab commented 2 years ago

Your submission is now in status Pay.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

ghsecuritylab commented 2 years ago

Your submission is now in status Closed.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

porcupineyhairs commented 2 years ago

Thank you for the bounty!