P3ngu1nW / CVE_Request

0 stars 0 forks source link

PoC vulnerable web app for CVE-2023-51774? #1

Open postmodern opened 8 months ago

postmodern commented 8 months ago

Hello, the maintainer of json-jwt contests whether it is even possible to create an application that is vulnerable to CVE-2023-51774. Could you create a PoC web application that demonstrates how to exploit CVE-2023-51774?

P3ngu1nW commented 8 months ago

Hi! Sign/encryption attack1 may lead to authentication bypass, for example: A router will check whether the user's JWT can be verified and consider whether to reject the HTTP request.

In this case, the user can construct a fake JWE to bypass this restriction.

JWcrypto2 has also fixed this problem.

Reference

postmodern commented 8 months ago

A router will check whether the user's JWT can be verified and consider whether to reject the HTTP request.

but is that actually possible in a real application using json-jwt? The maintainer says that the JWT and JWE objects are different enough, that using a decoded JWE object in place of a decoded JWT object would probably result in a NoMethodError exception. Could you try reproducing this in an example Ruby app?

P3ngu1nW commented 8 months ago

It's certainly possible. What I mean is that JWT.decode can also be used to verify the JWT, it does not necessarily need to be used to parse its content.