JWT alg=none vulnerability #364
Comments
|
This one is great. @ViktorLindstrm showed this |
|
I guess the simplest implementation would be if if the alg field contains "None" then just manually disable checking the signature :) Alternatively, we see if there is a vulnerable version of jsonwebtoken. It is not clear from the docs however if this library was ever vulnerable to this specific issue though... |
|
Retires.js says the lib I use was vulnerable before 4.2.2: https://nodesecurity.io/advisories/17 ... So, downgrading and pinning that version should make this exploitable? |
|
ok so there are two vulns here. The cleverer one which is mentioned here would break the weak JOSE passphrase challenge because it requires the token to be signed by an asymmetric algorithm. There is a less clever one where you change the alg to none and send a blank signature which can be exploited if you pin express-jwt back to something like its very first version. I am going to do more experimentation and then I will update you. |
|
For my own reference, need to pin express-jwt to https://github.com/auth0/express-jwt/blob/v0.1.3/package.json |
|
Would the clever one and the alg=none both work at the same time? If so, I think @ViktorLindstrm would be okay with you removing the much simpler secret-guessing challenge. We wanted to do some crazier stuff on JWT during OWASP Summit but simply didn't have enough time back then. |
|
I will have to investigate further and let you know. |
|
Of course i'm ok with that, that would be awesome! I gladly help if there are any questions. |
|
FYI I have not forgotten about this I just need to get some time to get back to this... |
|
Hi @bkimminich / @ViktorLindstrm , I have finally figured out how to do this. I have included a full explanation of how how to reproduce the two vulnerabilities following some relatively minor code changes in pull request #392. Let me know if you have any questions. It was hard enough to figure out how to do this, I don't think I am going to be able to figure out how to create the relevant tests for this :( |
|
Hi @tghosth! Great stuff! So, what is left to do is remove the current JWT challenge and add two new ones according to #392, but how do we check that they were exploited successfully? My idea:
And one remark: The public key would be perfectly placed in the |
|
About the tests, it would just be creating a JWT internally for those non-existent user emails and check that when used they solve those challenges. No feasible way to "test" the real hack that leads to the JWT. Many other e2e tests are like that already, so no problem. |
|
Hi @tghosth and @ViktorLindstrm! I would very much appreciate your feedback and some testing of those two new challenges on the branch https://github.com/bkimminich/juice-shop/tree/jwt_challenges! Please have a look at |
Open issues on
|
|
So, all test issues should now be fixed and previous challenges work again. The two new JWT challenges at the moment cannot determine if they were solved via
|
|
e2e tests have been added but the one for Tier 2 remains disabled due to problem described in #392 (comment). |
|
The challenge currently is not affected by any customization, thus it always expects |
(obsoletes #392 (comment) and resolves #364)
|
This thread has been automatically locked because it has not had recent activity after it was closed. 🔒 Please open a new issue for regressions or related bugs. |
What do you think about a challenge based around the following vulnerability:
https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
The main disadvantage is that this would allow logging in as any user but then there are already other issues such as SQLi which already allow that.
What do you think?
Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.
The text was updated successfully, but these errors were encountered: