JWS and JWT signature validation with \

Question

JWS and JWT signature validation with \

OrKiTheGitter opened this issue 2 years ago · 3 comments

Hello,

jsrsasign supports JWS(JSON Web Signatures) and JWT(JSON Web Token) validation. However JWS or JWT signature or header with non Base64URL encoding \ may be valid.

For example, even if a string of non-Base64URL encoding characters such as \ is inserted into a valid JWS or JWT signature, payload and header will still be a valid JWS or JWT.

When jsrsasign's JWS or JWT validation is used in OpenID connect or OAuth2, this vulnerability will affect authentication or authorization.

PoC sent privately

Answer 1 · 2022-06-26T14:00:10.000Z

Thank you for your report. I'll check it.

Answer 2 · 2022-06-26T14:11:46.000Z

Thanks, Can be closed :)

Answer 3 · 2022-06-26T14:33:41.000Z

Hi all, @OrKiTheGitter and I have confirmed and agreed that this is not a vulnerability.