gchq/CyberChef

Bug report: JWT Verify doesn't require an algorithm

Open

#624 aperta il 27 ago 2019

Vedi su GitHub
 (3 commenti) (0 reazioni) (0 assegnatari)JavaScript (3944 fork)batch import
featurehelp wanted

Metriche repository

Star
 (34.843 star)
Metriche merge PR
 (Merge medio 57g 13h) (62 PR mergiate in 30 g)

Descrizione

As detailed here, JWT verification functions should require specifying the algorithm that should have been used, in order to prevent an attacker from changing the algorithm to a symmetric algorithm from an asymmetric one and using the public key to sign the token. Probably low priority for this particular app, but it would be good to at least have the option.

Guida contributor