Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
New JWT weaknesses #392
(relates to issue #364)
This is a small commit but it creates two new vulnerabilities by switching to an old version of express-jwt and switching to an asymmetric JWT signing algorithm.
The first is that you can submit a JWT using the "none" algorithm and the application will accept it.
The second is that if you have the public key of the private key used to asymmetrically sign the JWT, you can make the server think that the JWT was actually signed using a symmetric key and therefore generate valid, signed JWTs based on the public key.
Both these vulnerabilities are explained far better here.
Note that it invalidates the existing JWT vulnerability.
Steps to reproduce these vulnerabilities:
"Asymmetric to Symmetric" bug
This is harder to exploit, mostly because it is very sensitive to the newline characters in the public key. In order to allow exploitation, the public key will need to be available to the end user. Maybe it could be left in the ftp directory. I would strongly recommend leaving it in the code fragment form so to help avoid the newline issues.
Hi @tghosth, I just tried to write unit tests for the challenge verification with pre-built tokens from jwt.io built exactly like you specified them here. For Asymmetric to Symmetric" bug I do not get a valid signature from setting the key via console. Could you retry please if it still works for you?
See 0ac15ff#diff-b23f26e8b487351a9699003c329e0890R248 for the token I made that does not work. The test is disabled at the moment with