oltu-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bryan Weber (JIRA)" <j...@apache.org>
Subject [jira] [Created] (OLTU-199) Extra data permitted in JWT header
Date Thu, 19 May 2016 16:13:12 GMT
Bryan Weber created OLTU-199:
--------------------------------

             Summary: Extra data permitted in JWT header
                 Key: OLTU-199
                 URL: https://issues.apache.org/jira/browse/OLTU-199
             Project: Apache Oltu
          Issue Type: Bug
          Components: JWT
            Reporter: Bryan Weber


I stumbled into this bug when writing a unit test.

I was making sure that signature validation did not pass under the following conditions:

```
header + "x" + "." + payload + "." + signature
header + "." + payload + "x" + "." + signature
header + "." + payload + "." + signature + "x"
```
2 of the 3 correctly failed to validate because the signature was invalid, however the first
case still passed signature validation. This puzzled me so I read the code to figure out what
was going on.

```
JWS jws = new JWSReader().read(jwt);

            CustomSignatureMethod signatureMethod = new CustomSignatureMethod();
            CustomPublicKey customPublicKey = new CustomPublicKey(keyPair.getPublic());

            return jws.validate(signatureMethod, customPublicKey);
```

When you look at the JWSReader you will see:

```
        Builder jwsBuilder = new Builder();
        (new JWSHeaderParser(jwsBuilder)).read(decodedHeader);
        return jwsBuilder.setPayload(decodedBody).setSignature(encodedSignature).build();
```

So clearly the JWSHeaderParser's read implementation isn't reading the entire contents of
decodedHeader (which I confirmed is the entire header).

Inside of the class public abstract class CustomizableEntityReader<E, B extends CustomizableBuilder<E>>

you would find three places that return early. Two of them look like this:

```
                case '}':
                    return;
```

So as soon as the closing } in the JSON is read the remaining bytes are not parsed.  

This is bad because it means that signature validation passes when it clearly should not.

My short term fix conceptually looks like this:

```
                case '}':
                    if ( x.more() ) {
                        throw new RuntimeException("Invalid JWT header");
                    }
                    return;
```

I'm not sure that this is exploitable at the moment, but it allows extra data to be passed
in JWTs and it causes many tokens to pass signature validation instead of just the actually
valid token.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message