gchq/CyberChef

Bug report: JWT Verify doesn't require an algorithm

Open

Aperta il 27 ago 2019

Vedi su GitHub
 (3 commenti) (0 reazioni) (0 assegnatari)JavaScript (34.843 star) (3944 fork)batch import
featurehelp wanted

Descrizione

As detailed here, JWT verification functions should require specifying the algorithm that should have been used, in order to prevent an attacker from changing the algorithm to a symmetric algorithm from an asymmetric one and using the public key to sign the token. Probably low priority for this particular app, but it would be good to at least have the option.

Guida contributor

Tech stack
javascript
Dominio
security
Tipo issue
bug
DifficoltàQuanto dovrebbe essere impegnativa per un nuovo contributor.
3
Tempo stimatoTempo stimato per completare e verificare uno scope piccolo.
1-3 hours
Stato attivitàQuanto è probabile che la issue sia ancora attiva e reviewable.
stale
ChiarezzaQuanto chiaramente la issue descrive problema, scope e risultato atteso.
clear
Prerequisiti
knowledge of JWTfamiliarity with CyberChef's codebase
Adatta ai principiantiQuanto la issue è adatta a contributor alla prima esperienza.
60
Direzione di ricerca
Investigate the current implementation of JWT operations in CyberChef (likely in src/core/operations/). Review the linked Auth0 article about algorithm confusion. The fix requires adding a mandatory algorithm parameter to the JWT Verify function, ensuring it validates that the token was signed with the expected algorithm. Check existing tests for JWT operations and consider how to add this parameter without breaking existing workflows.