-
Notifications
You must be signed in to change notification settings - Fork 376
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Example unsigned token that bypasses verification #364
Comments
@brianlow For your decode call, you probably want to call something like I believe that you've hit a bug with the encoder... In the case that the algorithm is |
Actually, I take it all back... there isn't a bug with the encoder... (I blame not enough coffee yet). The "issue" here is that the By default, A "nicer" behaviour would be to raise an |
That sound reasonable. So it feels like using Is that fair? |
Correct that it is not vulnerable to an attack whereby the attack uses the 'none' algorithm. It may be vulnerable to other attacks. To reduce the attack surface, you should specify which algorithms you will allow the library to use when decoding. Not doing so may leave your application vulnerable to attacks such as:
If you are issuing the tokens, you should know what algorithm(s) you're using to sign the token. If you're not issuing the token, the issuer should be able to tell you what algorithms they use. Hence advice to use: |
@danleyden Thanks for the explanation! This really helps understand our risk. I'll pin the algorithm |
سحب |
Cash |
سحب |
ر |
RDJ-D |
سحب |
Does anyone have an example of such a token?
I thought our system was exposed but I've been unable to write a failing unit test. For example:
I cannot get
JWT.decode(t, secret)
to accept an unsigned token.The text was updated successfully, but these errors were encountered: