# II. Set up local debug environment (CVE-2023-48223)

Tai lieu nay ghi lai cac buoc setup local environment de chay va debug demo CVE-2023-48223 (fast-jwt Algorithm Confusion) tren Windows.

## 1. Scope va yeu cau he thong

- CVE demo: CVE-2023-48223
- Runtime: Node.js 18+ (khuyen nghi LTS)
- Package manager: npm
- OpenSSL: co san trong PATH terminal
- OS: Windows

Kiem tra nhanh:

```powershell
node -v
npm -v
openssl version
```

## 2. Cai dependency cho project

Di chuyen vao root project va cai package:

```powershell
npm install
```

## 3. Tao RSA key pair cho PoC

Project can 2 file key:

- `keys/private.pem`
- `keys/public.pem`

Lenh PowerShell:

```powershell
New-Item -ItemType Directory -Path keys -Force | Out-Null
openssl genrsa -out keys/private.pem 2048
openssl rsa -in keys/private.pem -RSAPublicKey_out -out keys/public.pem
```

Neu OpenSSL bi bao khong nhan lenh, can cai OpenSSL va them vao PATH, sau do mo terminal moi.

## 4. Chay server vulnerable

```powershell
node server.js
```

Ket qua mong doi:

```text
Server running at http://localhost:3000
```

## 5. Chay PoC exploit flow

### Buoc 1: Lay token binh thuong

```powershell
curl http://localhost:3000/generateToken
```

### Buoc 2: Gia mao admin token

```powershell
node sign.js
```

Copy JWT in ra tu terminal.

### Buoc 3: Goi endpoint admin bang forged token

```powershell
node checkAdmin.js <JWT_TOKEN>
```

Neu tan cong thanh cong, response se chua `Welcome Admin!`.

## 6. Cau hinh debug trong VS Code

Tao file `.vscode/launch.json` voi 2 profile: launch truc tiep va attach qua inspector port 9229.

```json
{
  "version": "0.2.0",
  "configurations": [
    {
      "type": "node",
      "request": "launch",
      "name": "Debug CVE-2023-48223 Server",
      "program": "${workspaceFolder}/server.js",
      "cwd": "${workspaceFolder}",
      "console": "integratedTerminal",
      "skipFiles": [
        "<node_internals>/**"
      ]
    },
    {
      "type": "node",
      "request": "attach",
      "name": "Attach Node Inspector (9229)",
      "port": 9229,
      "restart": true,
      "skipFiles": [
        "<node_internals>/**"
      ]
    }
  ]
}
```

## 7. Debug bang Attach mode

Chay app voi inspector:

```powershell
node --inspect=9229 server.js
```

Trong VS Code:

1. Vao Run and Debug.
2. Chon `Attach Node Inspector (9229)`.
3. Dat breakpoint tai luong verify token (trong `server.js`).
4. Chay lai flow exploit de breakpoint duoc hit.

## 8. Diem can quan sat khi debug

Tai vi tri verify token trong `server.js`, can xac nhan:

```js
const verifySync = createVerifier({
  key: publicKey,
});
```

Verifier khong khoa `algorithms`, nen co the bi algorithm confusion khi attacker dung public key lam HMAC secret de ky HS256 token.

## 9. Patch de fix lo hong

Cap nhat verifier de chi cho phep RS256:

```js
const verifySync = createVerifier({
  key: publicKey,
  algorithms: ["RS256"],
});
```

Sau khi patch, chay lai exploit flow. Ket qua mong doi: token gia mao khong con verify hop le.

---

## Troubleshooting nhanh

- Loi `openssl is not recognized`: cai OpenSSL, them PATH, mo terminal moi.
- Loi missing key files: kiem tra dung ten `keys/private.pem` va `keys/public.pem`.
- Port 3000/9229 bi chiem: doi port hoac tat process dang dung port.
- Breakpoint khong hit: dam bao attach dung profile va dang chay mode `--inspect`.

## Safety note

Noi dung chi dung cho moi truong lab va muc dich hoc tap security, khong su dung tren he thong production hay trai phep.