findings/poc/F001-nodejwt-poc.js · JWT Differential Fuzzer

35 lines · javascript

 
const jwt = require("jsonwebtoken");
const ver = require("jsonwebtoken/package.json").version;
 
const secret = "schism-secret";
const claims = { sub: "alice", iat: 1700000000, exp: 9999999999 };
 
const token = jwt.sign(claims, secret, {
  algorithm: "HS256",
  header: { crit: ["foobar"], foobar: true },
});
 
console.log(`jsonwebtoken version: ${ver}`);
console.log(`token: ${token}`);
console.log(
  `token header (decoded): ${Buffer.from(
    token.split(".")[0],
    "base64url"
  ).toString("utf8")}`
);
 
try {
  const decoded = jwt.verify(token, secret, { algorithms: ["HS256"] });
  console.log(`RESULT: ACCEPTED - ${JSON.stringify(decoded)}`);
  console.log(
    "RFC 7515 §4.1.11 requires this token be REJECTED because the"
  );
  console.log(
    "recipient (jsonwebtoken) does not understand the 'foobar' extension."
  );
  process.exitCode = 0;
} catch (e) {
  console.log(`RESULT: REJECTED - ${e.message}`);
  process.exitCode = 1;
}

1
2	const jwt = require("jsonwebtoken");
3	const ver = require("jsonwebtoken/package.json").version;
4
5	const secret = "schism-secret";
6	const claims = { sub: "alice", iat: 1700000000, exp: 9999999999 };
7
8	const token = jwt.sign(claims, secret, {
9	algorithm: "HS256",
10	header: { crit: ["foobar"], foobar: true },
11	});
12
13	console.log(`jsonwebtoken version: ${ver}`);
14	console.log(`token: ${token}`);
15	console.log(
16	`token header (decoded): ${Buffer.from(
17	token.split(".")[0],
18	"base64url"
19	).toString("utf8")}`
20	);
21
22	try {
23	const decoded = jwt.verify(token, secret, { algorithms: ["HS256"] });
24	console.log(`RESULT: ACCEPTED - ${JSON.stringify(decoded)}`);
25	console.log(
26	"RFC 7515 §4.1.11 requires this token be REJECTED because the"
27	);
28	console.log(
29	"recipient (jsonwebtoken) does not understand the 'foobar' extension."
30	);
31	process.exitCode = 0;
32	} catch (e) {
33	console.log(`RESULT: REJECTED - ${e.message}`);
34	process.exitCode = 1;
35	}