Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com
☎ 03 60 47 09 81 - info@securiteinfo.com
&color=brightgreen)
In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).
No PoCs from references.
- https://github.com/0x0806/JWT-Security-Assessment
- https://github.com/ARPSyndicate/cve-scores
- https://github.com/ARPSyndicate/cvemon
- https://github.com/Claret-cyber/Container-Security-Report
- https://github.com/FloRRenn/java-web-project
- https://github.com/HiitCat/JWT-SecLabs
- https://github.com/MR-SS/challenge
- https://github.com/NguyenLy203/Java_project
- https://github.com/NicolasYPS/Agente_IA_Detector_Vuln_Arq
- https://github.com/Nucleware/powershell-jwt
- https://github.com/WinDyAlphA/CVE-2015-9235_JWT_key_confusion
- https://github.com/aalex954/jwt-key-confusion-poc
- https://github.com/achmadismail173/jwt_exploit
- https://github.com/armor-code/acsdk
- https://github.com/capstone-cy-team-1/vuln-web-app
- https://github.com/ere6u5/-containerization-security-assessment-
- https://github.com/google/pseudo-identity-provider
- https://github.com/guchangan1/All-Defense-Tool
- https://github.com/manojsgithub/-armor-code-acsdk-
- https://github.com/mxcezl/JWT-SecLabs
- https://github.com/phramz/tc2022-jwt101
- https://github.com/suddenabnormalsecrets/pseudo-identity-provider
- https://github.com/vivekghinaiya/JWT_hacking
- https://github.com/whoami13apt/tool-
- https://github.com/z-bool/Venom-JWT