jwt_tool icon indicating copy to clipboard operation
jwt_tool copied to clipboard
verified publisher icon ticarpi

[Feature Suggestion] Test exposure to CVE-2022-21649

Open righettod opened this issue 3 years ago • 1 comments

Hi,

After reading this blog post about the CVE-2022-21449, I was wondering if it can be interesting to add a test case with a JWT token for which the signature will be filled with 0 and the algorithm will be ES256, ES256K, ES384 or ES512 (see here)?

Example:

eyJhbGciOiJFUzI1NiJ9.eyJzdWIiOiJURVNUIn0.MAYCAQACAQA

image

Sample vulnerable app:

https://github.com/DataDog/security-labs-pocs/tree/main/proof-of-concept-exploits/jwt-null-signature-vulnerable-app

It is just a suggestion so feel free to close this issue if it is not relevant 😃

righettod avatar Apr 20 '22 12:04 righettod

PR #69 proposed to add this test 😃

righettod avatar May 20 '22 07:05 righettod