[jira] [Created] (OLTU-199) Extra data permitted in JWT header

Thu, 19 May 2016 09:14:03 -0700 

Bryan Weber created OLTU-199:
--------------------------------

             Summary: Extra data permitted in JWT header
                 Key: OLTU-199
                 URL: https://issues.apache.org/jira/browse/OLTU-199
             Project: Apache Oltu
          Issue Type: Bug
          Components: JWT
            Reporter: Bryan Weber


I stumbled into this bug when writing a unit test.

I was making sure that signature validation did not pass under the following 
conditions:

```
header + "x" + "." + payload + "." + signature
header + "." + payload + "x" + "." + signature
header + "." + payload + "." + signature + "x"
```
2 of the 3 correctly failed to validate because the signature was invalid, 
however the first case still passed signature validation. This puzzled me so I 
read the code to figure out what was going on.

```
JWS jws = new JWSReader().read(jwt);

            CustomSignatureMethod signatureMethod = new CustomSignatureMethod();
            CustomPublicKey customPublicKey = new 
CustomPublicKey(keyPair.getPublic());

            return jws.validate(signatureMethod, customPublicKey);
```

When you look at the JWSReader you will see:

```
        Builder jwsBuilder = new Builder();
        (new JWSHeaderParser(jwsBuilder)).read(decodedHeader);
        return 
jwsBuilder.setPayload(decodedBody).setSignature(encodedSignature).build();
```

So clearly the JWSHeaderParser's read implementation isn't reading the entire 
contents of decodedHeader (which I confirmed is the entire header).

Inside of the class public abstract class CustomizableEntityReader<E, B extends 
CustomizableBuilder<E>>

you would find three places that return early. Two of them look like this:

```
                case '}':
                    return;
```

So as soon as the closing } in the JSON is read the remaining bytes are not 
parsed.  

This is bad because it means that signature validation passes when it clearly 
should not.

My short term fix conceptually looks like this:

```
                case '}':
                    if ( x.more() ) {
                        throw new RuntimeException("Invalid JWT header");
                    }
                    return;
```

I'm not sure that this is exploitable at the moment, but it allows extra data 
to be passed in JWTs and it causes many tokens to pass signature validation 
instead of just the actually valid token.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to