nodebb-plugin-session-sharing icon indicating copy to clipboard operation
nodebb-plugin-session-sharing copied to clipboard

Published 20 hours ago verified publisher icon julianlam

Unsafe token validation

Open revilwang opened this issue 5 years ago • 1 comments

According to Validating a JWT,

there is a risk of algorithm substitution attacks, in which an attacker can use an existing digital signature value with a different signature algorithm to make it appear that a signer has signed something that it has not

But no algorithm configuration found. The jsonwebtoken has an example to validate against the algorithm.

// alg mismatch
var cert = fs.readFileSync('public.pem'); // get public key
jwt.verify(token, cert, { algorithms: ['RS256'] }, function (err, payload) {
  // if token alg != RS256,  err == invalid signature
});

Hope this is supported.

revilwang avatar Oct 08 '19 10:10 revilwang

We use the jsonwebtoken package quite transparently, so yes, this is possible. Just a thought, though... in that if you were to substitute a different signature, wouldn't you still have to know the secret to do so?

Nevertheless, I'll add in the option to specify allowed algorithms in the ACP (defaulting to... either all of them, or HS256)

julianlam avatar Oct 08 '19 15:10 julianlam