gchq/CyberChef

Bug report: JWT Verify doesn't require an algorithm

Open

#624 建立於 2019年8月27日

在 GitHub 查看
 (3 留言) (0 反應) (0 負責人)JavaScript (3,944 fork)batch import
featurehelp wanted

倉庫指標

Star
 (34,843 star)
PR 合併指標
 (平均合併 57天 13小時) (30 天內合併 62 個 PR)

描述

As detailed here, JWT verification functions should require specifying the algorithm that should have been used, in order to prevent an attacker from changing the algorithm to a symmetric algorithm from an asymmetric one and using the public key to sign the token. Probably low priority for this particular app, but it would be good to at least have the option.

貢獻者指南