Closed emanuelduss closed 3 years ago
Hi Mänu
Thank you for the exemplary issue! However, do you know if this worked with 1.12? Meaning the perpetrator is in v1.13..
Cheers
Can you please see if this works? Alternatively feel free to build from the latest commit ;) JWT4B.zip
Yayy
Awesome, THX!
Hi ozzi-
I really like this extension and use it a lot but just had some issues while creating signatures with a secret that contains linebreaks.
This is e.g. important in the algorithm confusion attack where you sign your RS256 token using the public key but using the HS265 algorithm.
Situation
Example JWT:
Decoded:
What I want
I get the expected result i previous versions of the extension.
I want to sign it using the following multi line secret (incl. the last linebreak!):
Doing so:
Plugin output on stdout:
Screenshot:
This works as expected.
Also CyberChef confirms that this is the correct behavior:
What I get
In the latest release, the attacks did not work anymore :(.
Performing the same steps as already described.
Plugin output on stdout:
Screenshot:
All linebreaks from the secret input are removed.
This results in a non-working attack :(.
Issue
Solution
Can you fix this?
Thanks & LG Mänu