New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Uncaught TypeError: Cannot read property 'aud' of undefined at Object.resolve_member #27

Closed
0xdevalias opened this Issue Aug 3, 2017 · 3 comments

Comments

Projects
None yet
2 participants
@0xdevalias

0xdevalias commented Aug 3, 2017

The error is in the <__BCDetect__>____ part of the code, so I assume this isn't related to the specific website being tested.

Uncaught TypeError: Cannot read property 'aud' of undefined
    at Object.resolve_member (<__BCDetect__>____A:formatted:1885)
 resolve_member: function(a, b) {
            var c = a[b]
              , d = typeof c;
            if (b && b.toString() && b.toString().tainted && this.logger("OBJKEYGET", (a.constructor && a.constructor.name) + "[" + String.unTaint(b) + "]", b, null, b),
            "undefined" === d && this.objHasKeyTainted(a) && this.logCollect("Check", "Exists(key)", {
                str: b,
                obj: Object.keys(a)
            }),

Debugging:

  • a = undefined
  • b = aud

The line that errors is var c = a[b]. It looks like there should be a check to ensure this isn't undefined or similar before being used on this line.

@wisec

This comment has been minimized.

Show comment
Hide comment
@wisec

wisec Aug 3, 2017

Contributor

This issue is the rewritten version of:
a.aud
that we rewrite to:
resolve_member(a,"aud").
so if the original a is undefined it would throw:
Cannot read property 'aud' of undefined
as well.

I would ask you to check on a vanilla chrome (non BCDetect) if the error is triggered as well.

 If yes then 
    it is an error in the original code,
 Else
   It is a bug in BCDetect
Contributor

wisec commented Aug 3, 2017

This issue is the rewritten version of:
a.aud
that we rewrite to:
resolve_member(a,"aud").
so if the original a is undefined it would throw:
Cannot read property 'aud' of undefined
as well.

I would ask you to check on a vanilla chrome (non BCDetect) if the error is triggered as well.

 If yes then 
    it is an error in the original code,
 Else
   It is a bug in BCDetect

@wisec wisec added the Under Review label Aug 3, 2017

@0xdevalias

This comment has been minimized.

Show comment
Hide comment
@0xdevalias

0xdevalias Aug 4, 2017

That makes sense. As best I can tell (testing in another browser, without BCDetect) it's not hitting the same issue/getting an error.

I wish this was on a public website so I could just show the issue, but run into this as part of an assessment on client code, so can't share it.

It appears to be happening with code related to auth0 lock. This is the unminified section:

if (prof.aud !== this.clientID) {
	        return cb(invalidJwt('The clientID configured (' + this.clientID + ') does not match with the clientID set in the token (' + prof.aud + ').'));
	      }

Which is part of the following file:

The JWT that should be being parsed at this stage is (modified to remove specific details, but follows the same structure/keys):

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL2V4YW1wbGUuY29tLyIsInN1YiI6InNlcnZpY2VuYW1lfHRoZXJlYXJlc29tZW51bWJlcnNoZXJlIiwiYXVkIjoiWFhYMTFYWFh4eHh4WDFYeHhYeFh4WFh4MXh4WHhYWFgiLCJleHAiOjE1MDE3MzY2ODQsImlhdCI6MTUwMTcyOTQ4NH0.0PtTI43OiuHlWiDHWjXGJoaR9i8XHE5H7wubim1ws6M

Which payload decodes to:

{
  "iss": "https://example.com/",
  "sub": "servicename|therearesomenumbershere",
  "aud": "XXX11XXXxxxxX1XxxXxXxXXx1xxXxXXX",
  "exp": 1501736684,
  "iat": 1501729484
}

So that would imply to me that the aud should be valid at this point. And the fact that the login feature appears to work correctly when not run through BCDetect would confirm that to me.

To validate in isolation.. should be enough to get an instance of the following and try it out, in theory at least (also taken from the above mentioned code file):

var id_token ="INSERT TOKEN MENTIONED ABOVE";
var verifier = new IdTokenVerifier({});
prof = verifier.decode(id_token).payload;
console.log(prof);

The import for that is:

import IdTokenVerifier from 'idtoken-verifier';

Which is loaded from the package.json:

"idtoken-verifier": "^1.0.1",

So instrumenting that in a little test webpage might illustrate the issue in a more standalone way.

Edit: Downloaded that package, built it and uploaded it to plunkr, putting together a mini test page. Main bit of code is in main.js:

Downloaded that, ran locally with python -m SimpleHTTPServer, loaded the test page with BCDetect and it seems to work fine.. So.. long rabbit hole for no value :(

I can't for certain rule out that some instrumentation of BCDetect earlier in the larger codebase causes the value to be undefined at this point.. but since I am having trouble getting the debugger to break on the code in question.. and this isolated test seems to work properly, I may have to call this unreproducible for now..

0xdevalias commented Aug 4, 2017

That makes sense. As best I can tell (testing in another browser, without BCDetect) it's not hitting the same issue/getting an error.

I wish this was on a public website so I could just show the issue, but run into this as part of an assessment on client code, so can't share it.

It appears to be happening with code related to auth0 lock. This is the unminified section:

if (prof.aud !== this.clientID) {
	        return cb(invalidJwt('The clientID configured (' + this.clientID + ') does not match with the clientID set in the token (' + prof.aud + ').'));
	      }

Which is part of the following file:

The JWT that should be being parsed at this stage is (modified to remove specific details, but follows the same structure/keys):

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL2V4YW1wbGUuY29tLyIsInN1YiI6InNlcnZpY2VuYW1lfHRoZXJlYXJlc29tZW51bWJlcnNoZXJlIiwiYXVkIjoiWFhYMTFYWFh4eHh4WDFYeHhYeFh4WFh4MXh4WHhYWFgiLCJleHAiOjE1MDE3MzY2ODQsImlhdCI6MTUwMTcyOTQ4NH0.0PtTI43OiuHlWiDHWjXGJoaR9i8XHE5H7wubim1ws6M

Which payload decodes to:

{
  "iss": "https://example.com/",
  "sub": "servicename|therearesomenumbershere",
  "aud": "XXX11XXXxxxxX1XxxXxXxXXx1xxXxXXX",
  "exp": 1501736684,
  "iat": 1501729484
}

So that would imply to me that the aud should be valid at this point. And the fact that the login feature appears to work correctly when not run through BCDetect would confirm that to me.

To validate in isolation.. should be enough to get an instance of the following and try it out, in theory at least (also taken from the above mentioned code file):

var id_token ="INSERT TOKEN MENTIONED ABOVE";
var verifier = new IdTokenVerifier({});
prof = verifier.decode(id_token).payload;
console.log(prof);

The import for that is:

import IdTokenVerifier from 'idtoken-verifier';

Which is loaded from the package.json:

"idtoken-verifier": "^1.0.1",

So instrumenting that in a little test webpage might illustrate the issue in a more standalone way.

Edit: Downloaded that package, built it and uploaded it to plunkr, putting together a mini test page. Main bit of code is in main.js:

Downloaded that, ran locally with python -m SimpleHTTPServer, loaded the test page with BCDetect and it seems to work fine.. So.. long rabbit hole for no value :(

I can't for certain rule out that some instrumentation of BCDetect earlier in the larger codebase causes the value to be undefined at this point.. but since I am having trouble getting the debugger to break on the code in question.. and this isolated test seems to work properly, I may have to call this unreproducible for now..

@wisec

This comment has been minimized.

Show comment
Hide comment
@wisec

wisec Dec 11, 2017

Contributor

Closing this.
Feel free to reopen

Contributor

wisec commented Dec 11, 2017

Closing this.
Feel free to reopen

@wisec wisec closed this Dec 11, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment