-
-
Notifications
You must be signed in to change notification settings - Fork 10.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[🐛] 401 Unauthorized unsigned/fake-signed JWT tokens #1788
Comments
Thanks a lot for opening your first issue with us! 🧡 We'll get back to you shortly! ⏳ If it was a Support Request, please consider asking on the community chat next time! 💬 |
When you set this tampered token in the Local Storage and Cookies as |
Apparently none of the above, since the user is fetched via a
After a more detailed inspection of the error messages and the code, it is clear that the reason why we do not get a "fully valid login" is due to additional checks related to the
IMHO it would still be nice for the JWT challenges if the fake JWT tokens could be automatically added to the FYI, I happened to realize that the |
This issue has been automatically marked as |
Not actual issue progress, but there was some interesting discussion recently in the Juice Shop channel on OWASP Slack about the JWT issues: https://owasp.slack.com/archives/C255XSY04/p1659628380180969 TL;DR: Any help from a JWT expert to perform an as-is-analysis of our current auth process and the problems with the challenges is highly appreciated. |
Ooof, I was wondering why this wasn't working with |
Sadly many question not working since JWT can't be solved. |
🐛 Bug report
Description
Unsigned/fake-signed JWT tokens work for the purpose of solving the JWT challenges, but Juice Shop responds with
401 Unauthorized {"status":"error","message":{}}
.Is this a regression?
This seems to be a regression of #1310
I have only tried the latest version.
🔬 Minimal Reproduction
<host>/rest/basket/<bid>
Authentication: Bearer <header>.<payload>.<signature>
<header>
, changealg
tonone
, base64url-encode into<unsigned_header>
.<host>/rest/basket/<bid>
GET Request with headerAuthentication: Bearer <unsigned_header>.<payload>.
If changing
email
tojwtn3d@juice-sh.op
in the payload, the unsigned JWT challenge is detected as solved.🔥 Exception or Error
🌳 Your Environment
v17.8.0
8.5.5
Additional Information
npm list jsonwebtoken
├─┬ express-jwt@0.1.3
│ └── jsonwebtoken@0.1.0
└── jsonwebtoken@0.4.0
Tested on Mac OS X 12.2 with brew-installed node@8.5.5
Tested on Kali Linux 2022.1 with apt-installed node@ 8.5.5
The text was updated successfully, but these errors were encountered: