科技回声

13 条评论

bbrazil大约 10 年前

Be wary if you do anything with signed data before you verify the signature.<a href="http://www.thoughtcrime.org/blog/the-cryptographic-doom-principle/" rel="nofollow">http://www.thoughtcrime.org/blog/the-cryptographic-doom-prin...</a>

评论 #9302394 未加载

评论 #9301904 未加载

odino大约 10 年前

By the way, claps for Tim for the amazing job. He contacted various people and gave them heads up weeks ago. I think the wat this was handled was awesome.<3 OSS

Kiro大约 10 年前

I don't understand why you need the alg property at all. I mean, you are the one issuing the token so you definitely know what algorithm is used in the back-end. Why is this necessary?

评论 #9302510 未加载

评论 #9303268 未加载

s_kilk大约 10 年前

I found a (thematically) similar issue in the clojure jwt library last year [1]. Now I'm wondering if the issue may be wider than just that library.[1] <a href="https://github.com/liquidz/clj-jwt/issues/8" rel="nofollow">https://github.com/liquidz/clj-jwt/issues/8</a>

zaroth大约 10 年前

Also see: <a href="https://news.ycombinator.com/item?id=9111049" rel="nofollow">https://news.ycombinator.com/item?id=9111049</a>Where are the CVEs?! ... OK, I just sent a brief write-up to the oss-security list, we'll see what happens.

评论 #9303869 未加载

the_mitsuhiko大约 10 年前

I'm glad someone of not finally made a statement about that. I have reported two bugs like this against libraries in the last two years and the general feedback has been, that it's not an issue. They just removed the none algorithm entirely.

d4mi3n大约 10 年前

For those of you concerned about if a JWT library you're using is vulnerable, you can see the current list of verified/validate clients for each language here: <a href="http://jwt.io/" rel="nofollow">http://jwt.io/</a> (page down to see the list)My team has been using ruby-jwt, so I'm glad to see that at least does not seem to be on the list of vulnerable libraries.

omgitstom大约 10 年前

I've actually seen this same issue in JWT libs before (August 2014) as well. I think one of the main issue is JWT is simple to implement, the specification seems to be unclear about how to treat unsecure JWTs (with the `none` alg).From the specificaiton: Even if a JWT can be successfully validated, unless the algorithm(s) used in the JWT are acceptable to the application, it SHOULD reject the JWT.So what it is saying is that you should have code in your application to make sure to only trust algorithms that you like.The other issue is that following the specifications rules for validation get you in a hairy spot where this vulnerability exist:<a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-7.2" rel="nofollow">https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-...</a>

评论 #9305557 未加载

laumars大约 10 年前

Can someone please explain to me the appeal of tokens like the following please?<pre><code> payload = '{"loggedInAs":"admin","iat":1422779638}' </code></pre> I've always worked under the assumption that everything the client sends is wrong; which means the only fields I issue are a user hash and session key. If either of those don't match the session table record then the token is rejected. Having group permissions issued from the client side seems like a bad design from the offset - however this seems a really obvious point to make, which makes me wonder if I'm missing the point of JWT's.Is anyone able to expand on this for me please?

评论 #9302818 未加载

评论 #9302937 未加载

评论 #9302304 未加载

评论 #9302207 未加载

MrBuddyCasino大约 10 年前

If you love to confirm your stereotypes as much as the next guy, take a closer look at the languages:- Ruby, Java, Lua, Scala and .NET are unaffected- updates are available for Node.js and Python- there are still no fixed version for JavaScript and PHP libs

评论 #9307148 未加载

mfjordvald大约 10 年前

They list the php-jwt library from firebase as vulnerable but I can't see why. As far as I can see they do not support the None algorithm.<a href="https://github.com/firebase/php-jwt/blob/master/Authentication/JWT.php" rel="nofollow">https://github.com/firebase/php-jwt/blob/master/Authenticati...</a>It's not in the methods array and the decode method specifically does a check to see if it's empty.if (empty($header->alg)) { throw exception }Can anyone throw some light on this?

评论 #9301931 未加载

tptacek大约 10 年前

Don't use JSON Web Tokens.

评论 #9305120 未加载

评论 #9304493 未加载

pvg大约 10 年前

Original, non-spam source is:<a href="https://www.timmclean.net/2015/03/31/jwt-algorithm-confusion.html" rel="nofollow">https://www.timmclean.net/2015/03/31/jwt-algorithm-confusion...</a>

评论 #9302910 未加载

13 条评论

bbrazil大约 10 年前

评论 #9302394 未加载

评论 #9301904 未加载

odino大约 10 年前

By the way, claps for Tim for the amazing job. He contacted various people and gave them heads up weeks ago. I think the wat this was handled was awesome.<3 OSS

Kiro大约 10 年前

I don't understand why you need the alg property at all. I mean, you are the one issuing the token so you definitely know what algorithm is used in the back-end. Why is this necessary?

评论 #9302510 未加载

评论 #9303268 未加载

s_kilk大约 10 年前

zaroth大约 10 年前

评论 #9303869 未加载

the_mitsuhiko大约 10 年前

d4mi3n大约 10 年前

omgitstom大约 10 年前

评论 #9305557 未加载

laumars大约 10 年前

评论 #9302818 未加载

评论 #9302937 未加载

评论 #9302304 未加载

评论 #9302207 未加载

MrBuddyCasino大约 10 年前

评论 #9307148 未加载

mfjordvald大约 10 年前

评论 #9301931 未加载

tptacek大约 10 年前

Don't use JSON Web Tokens.

评论 #9305120 未加载

评论 #9304493 未加载

pvg大约 10 年前

Original, non-spam source is:<a href="https://www.timmclean.net/2015/03/31/jwt-algorithm-confusion.html" rel="nofollow">https://www.timmclean.net/2015/03/31/jwt-algorithm-confusion...</a>

评论 #9302910 未加载

Critical Vulnerabilities in JSON Web Token Libraries

13 条评论

Critical Vulnerabilities in JSON Web Token Libraries

13 条评论