[jira] [Updated] (OLTU-199) Extra data permitted in JWT header

Wed, 25 Oct 2017 06:12:55 -0700 

     [ 
https://issues.apache.org/jira/browse/OLTU-199?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Antonio Sanso updated OLTU-199:
-------------------------------
    Labels: review  (was: )

> Extra data permitted in JWT header
> ----------------------------------
>
>                 Key: OLTU-199
>                 URL: https://issues.apache.org/jira/browse/OLTU-199
>             Project: Apache Oltu
>          Issue Type: Bug
>          Components: JWT
>            Reporter: Bryan Weber
>              Labels: review
>
> I stumbled into this bug when writing a unit test.
> I was making sure that signature validation did not pass under the following 
> conditions:
> ```
> header + "x" + "." + payload + "." + signature
> header + "." + payload + "x" + "." + signature
> header + "." + payload + "." + signature + "x"
> ```
> 2 of the 3 correctly failed to validate because the signature was invalid, 
> however the first case still passed signature validation. This puzzled me so 
> I read the code to figure out what was going on.
> ```
> JWS jws = new JWSReader().read(jwt);
>             CustomSignatureMethod signatureMethod = new 
> CustomSignatureMethod();
>             CustomPublicKey customPublicKey = new 
> CustomPublicKey(keyPair.getPublic());
>             return jws.validate(signatureMethod, customPublicKey);
> ```
> When you look at the JWSReader you will see:
> ```
>         Builder jwsBuilder = new Builder();
>         (new JWSHeaderParser(jwsBuilder)).read(decodedHeader);
>         return 
> jwsBuilder.setPayload(decodedBody).setSignature(encodedSignature).build();
> ```
> So clearly the JWSHeaderParser's read implementation isn't reading the entire 
> contents of decodedHeader (which I confirmed is the entire header).
> Inside of the class public abstract class CustomizableEntityReader<E, B 
> extends CustomizableBuilder<E>>
> you would find three places that return early. Two of them look like this:
> ```
>                 case '}':
>                     return;
> ```
> So as soon as the closing } in the JSON is read the remaining bytes are not 
> parsed.  
> This is bad because it means that signature validation passes when it clearly 
> should not.
> My short term fix conceptually looks like this:
> ```
>                 case '}':
>                     if ( x.more() ) {
>                         throw new RuntimeException("Invalid JWT header");
>                     }
>                     return;
> ```
> I'm not sure that this is exploitable at the moment, but it allows extra data 
> to be passed in JWTs and it causes many tokens to pass signature validation 
> instead of just the actually valid token.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to