Jak czasem można ominąć zabezpieczenie oferowane przez JWT? Metoda, którą może zastosować nawet 10-latek :-)

Ekipa z GitHub Security Lab postanowiła ostatnio przeaudytować projekt Datahub. Wśród licznych znalezisk mamy również takie: Missing JWT signature check (CVE-2022-39366) CVSS: 9.9 Obeznani z tematyką JWT już wiedzą co się tutaj święci. No więc tak… we wspomnianym systemie można było w payloadzie tokenu JWT umieścić absolutnie wszystko, a podpis takiego...

#WBiegu #JsonWebToken #Jwt #Websec
https://sekurak.pl/jak-czasem-mozna-ominac-zabezpieczenie-oferowane-przez-jwt-metoda-ktora-moze-zastosowac-nawet-10-latek/

Ding, dong, the CVE is dead! :partyparrot:

The JWT nodejs "vulnerability" from December, popularised at the start of January, has been recognised as a non-issue 🫥

I'm really glad to see it gone. Hoping we get a rash of news stories to follow up on the torrent 🌊 that followed the Unit 42 blog...

I'm not sure if its removal was down to me raising an issue on the GitHub Advisory Database :omya_github: to ask for it to be removed.

#jwt #cve #errata #cve_2022_23529 #auth0 #unit42 #jsonwebtoken

Ziemlich gut und ausführlich erklärt, wieso man JWT nutzen sollte: :scremcat: https://medium.com/swlh/why-do-we-need-the-json-web-token-jwt-in-the-modern-web-8490a7284482

#jsonwebtoken #jwt #bookmark #fueraufmklo

In the recent weeks developer ecosystem parts seem be be the #InfoSec weak spot no 1.

And a lot of the events are "published" behind #noindex flags to SEO-optimize the Public Relations. "We take security seriously... until it's serious". That's bad practice, and it helps no one. Be transparent about the issues.

* #pytorch got backdoored (apparently it was a test / dependency confusion attack)
https://pytorch.org/blog/compromised-nightly-dependency/#how-to-check-if-your-python-environment-is-affected

* #CircleCI - automation holds secrets, compromised via a dev workstation. Customers have to change keys etc.
https://circleci.com/blog/jan-4-2023-incident-report/

* #Slack "breach" - they lost their code. Who knows what hardcoded secrets etc. they lost as well.
https://slack.com/intl/en-au/blog/news/slack-security-update

* #jsonwebtoken - part of many JavaScript based #oauth stacks. An Authentication Bypass here is a total failure.
https://security.snyk.io/package/npm/jsonwebtoken/4.0.0

* #datadog changes the #rpm gpg key due to the CircleCI issue. Which is proactive, and well thought of.
https://docs.datadoghq.com/agent/faq/circleci-incident-impact-on-datadog-agent/

* #x41 audited #git and they found severe vulns. This also affects CI systems, like #Jenkins or #GitHub Actions in some cases (if the Runner uses Git to build things).
https://x41-dsec.de/security/research/news/2023/01/17/git-security-audit-ostif/

What we learn: holistic #AppSec and Product Security has to look into these "mystical things" like the developer infrastructure, Software Bill Of Materials ( #sbom ), Continuous Integration etc. Things 99% of InfoSec professionals have 0 clue about.
In 2023 you should change that, and focus your training efforts there.

Online la seconda puntata del 2023 di #NINAsec !

Si parla degli impatti di #JsonWebToken e della sua vulnerabilità, poi di #infostealers che stanno agitando le loro campagne malevole anche in Italia ⤵️

https://buttondown.email/ninasec/archive/bugs-in-jsonwebtoken-e-spyware-su-phishing-anche/

https://thehackernews.com/2023/01/critical-security-flaw-found-in.html# #InfoSec : #JWT : Severe #Security Flaw Found in "#jsonwebtoken" Library Used by 22,000+ Projects

I see reports about a #JsonWebToken vulnerability (CVE-2022-23529), claiming that RCE is possible. Maybe I’m the one missing something here, but how could this possibly be exploited? Is that even a valid vulnerability report?

In order to exploit the vulnerability, someone needs to define a malicious toString function on the key object. Well, if they can do that – why do they need the library to call the function, can’t they do it themselves? They need to run JavaScript code on the server in order to create that function, meaning that the prerequisite for RCE is… 🥁​ RCE!

There seems to be the assumption here that this key object can somehow be serialized along with the function, and then the library will deserialize it from some manipulated storage. But JSON doesn’t serialize function code, and neither does any other serialization format that JavaScript code might use.

Seriously, how is that going around in the news without anybody asking: is there a single realistic scenario where this CVSS score 7.6 (as assigned by the reporter) vulnerability could be abused?

The so-called "vulnerability" (CVE-2022-23529) in #jsonwebtoken is just a marketing stunt. #jwt https://github.com/github/advisory-database/pull/1595

RT @heisec@twitter.com

Schadcode-Lücke in JsonWebToken-Bibliothek bedroht 22.000 Software-Projekte https://www.heise.de/news/Schadcode-Luecke-in-JsonWebToken-Bibliothek-bedroht-22-000-Software-Projekte-7454385.html #Json #JsonWebToken

🐦🔗: https://twitter.com/heisec/status/1612841970547757056

Jede Menge Abhängigkeiten: Sicherheitslücke in JS-Library #JsonWebToken

https://www.heise.de/news/Schadcode-Luecke-in-JsonWebToken-Bibliothek-bedroht-22-000-Software-Projekte-7454385.html

Popular JWT cloud security library patches “remote” code execution hole - It's remotely triggerable, but attackers would already have pretty deep network access if... https://nakedsecurity.sophos.com/2023/01/10/popular-jwt-cloud-security-library-patches-remote-code-execution-hole/ #cryptography #jsonwebtoken #jwt #rce

Schadcode-Lücke in JsonWebToken-Bibliothek bedroht 22.000 Software-Projekte

Aufgrund einer Sicherheitslücke in einer weitverbreiteten Bibliothek sind Open-Source-Projekte von unter anderem IBM und Microsoft verwundbar.

https://www.heise.de/news/Schadcode-Luecke-in-JsonWebToken-Bibliothek-bedroht-22-000-Software-Projekte-7454385.html?wt_mc=sm.red.ho.mastodon.mastodon.-.-

#JsonWebToken #Patch #Security #Sicherheitslücken #SoftwareBiblioheken #SupplyChainAttack #Update

A high-severity security flaw has been disclosed in the #opensource jsonwebtoken (JWT) library that, if successfully exploited, could lead to remote code execution (#RCE) on a target server.

#jsonwebtoken is developed and maintained by #Okta's Auth0.

#cybersecurity #infosec

https://thehackernews.com/2023/01/critical-security-flaw-found-in.html

Remote code execution bug discovered in the popular #JsonWebToken library
https://securityaffairs.com/140596/hacking/jsonwebtoken-library-rce.html
#securityaffairs #hacking

#jsonwebtoken High Severity Security #Vulnerability Found in "jsonwebtoken" #NPM Library (CVE-2022-23529). Attackers could achieve remote code execution (RCE) on a server verifying a maliciously crafted #JWT request. Update jsonwebtoken package to v9.0.0: https://thehackernews.com/2023/01/critical-security-flaw-found-in.html

JSON Web Token (JSON Web Encryption) Authentication with Kirby CMS 3 - In yet another recent project, I’m building a book proposal submission... https://blog.mhgbrown.is/posts/8b72bbdf90640d2cc4c60be189c43e353f766e18 #Dev #Kirby3 #Authentification #JSONWebToken by @mhgbrown@twitter.com