gchq/CyberChef

Bug report: JWT Verify doesn't require an algorithm

Open

#624 opened on Aug 27, 2019

View on GitHub
 (3 comments) (0 reactions) (0 assignees)JavaScript (34,843 stars) (3,944 forks)batch import
featurehelp wanted

Description

As detailed here, JWT verification functions should require specifying the algorithm that should have been used, in order to prevent an attacker from changing the algorithm to a symmetric algorithm from an asymmetric one and using the public key to sign the token. Probably low priority for this particular app, but it would be good to at least have the option.

Contributor guide

Tech stack
javascript
Domain
security
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
knowledge of JWTfamiliarity with CyberChef's codebase
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
60
Research direction
Investigate the current implementation of JWT operations in CyberChef (likely in src/core/operations/). Review the linked Auth0 article about algorithm confusion. The fix requires adding a mandatory algorithm parameter to the JWT Verify function, ensuring it validates that the token was signed with the expected algorithm. Check existing tests for JWT operations and consider how to add this parameter without breaking existing workflows.