gchq/CyberChef

Bug report: JWT Verify doesn't require an algorithm

Open

#624 ouverte le 27 août 2019

Voir sur GitHub
 (3 commentaires) (0 réactions) (0 assignés)JavaScript (3 944 forks)batch import
featurehelp wanted

Métriques du dépôt

Stars
 (34 843 stars)
Métriques de merge PR
 (Merge moyen 57j 13h) (62 PRs mergées en 30 j)

Description

As detailed here, JWT verification functions should require specifying the algorithm that should have been used, in order to prevent an attacker from changing the algorithm to a symmetric algorithm from an asymmetric one and using the public key to sign the token. Probably low priority for this particular app, but it would be good to at least have the option.

Guide contributeur