Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for Java Vuln? (CVE-2022-21449) #35

Open
kingthorin opened this issue Apr 20, 2022 · 2 comments
Open

Add support for Java Vuln? (CVE-2022-21449) #35

kingthorin opened this issue Apr 20, 2022 · 2 comments
Labels
analysis enhancement New feature or request good first issue Good for newcomers HacktoberFest P0

Comments

@kingthorin
Copy link
Collaborator

Is your feature request related to a problem? Please describe.
It would be great if the JWT add-on could check for JWT issues related to CVE-2022-21449.

Describe the solution you'd like
Implement a scan rule/check that can detect something similar to:
https://twitter.com/christophetd/status/1516878071785467904

Sample Vulnerable Application of the JWT Null Signature Vulnerability (CVE-2022-21449)

Describe alternatives you've considered
N/A

Would you like to help fix this issue?
Not at this time.

Additional context
Nothing further.
@preetkaran20 preetkaran20 added enhancement New feature or request good first issue Good for newcomers analysis P0 labels Apr 21, 2022
@kingthorin kingthorin changed the title Add support for new Java Vuln? Add support for Java Vuln? (CVE-2022-21449) Apr 21, 2022
@preetkaran20 preetkaran20 self-assigned this Jun 20, 2022
@preetkaran20 preetkaran20 removed their assignment Sep 30, 2022
@snowatlas
Copy link

snowatlas commented Feb 17, 2023
edited
Loading

Hi,
i'd like to work one this issue , if i understand i must verify that ECDSA signature with r!=0 and s!=0, and if r=s=0 so this the signature isn't accepted .

@preetkaran20
Copy link
Member

Hi @snowatlas ,

Great !!!. Yes you are right. We need to inject the payloads where r and s are 0 for ECDSA.

thanks,
Karan

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
analysis enhancement New feature or request good first issue Good for newcomers HacktoberFest P0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kingthorin @preetkaran20 @snowatlas