Bug report: JWT Verify doesn't require an algorithm · gchq/CyberChef#624

(3 评论) (0 反应) (0 负责人)JavaScript (34,843 star) (3,944 fork)batch import

featurehelp wanted

描述

As detailed here, JWT verification functions should require specifying the algorithm that should have been used, in order to prevent an attacker from changing the algorithm to a symmetric algorithm from an asymmetric one and using the public key to sign the token. Probably low priority for this particular app, but it would be good to at least have the option.

贡献者指南

技术栈: javascript
领域: security
议题类型: bug
难度: 3
预计时间: 1-3 hours
活动状态: stale
清晰度: clear
前置要求: knowledge of JWTfamiliarity with CyberChef's codebase
新手友好度: 60
研究方向: Investigate the current implementation of JWT operations in CyberChef (likely in src/core/operations/). Review the linked Auth0 article about algorithm confusion. The fix requires adding a mandatory algorithm parameter to the JWT Verify function, ensuring it validates that the token was signed with the expected algorithm. Check existing tests for JWT operations and consider how to add this parameter without breaking existing workflows.