jjwt
security-labs-pocs
Our great sponsors
jjwt | security-labs-pocs | |
---|---|---|
4 | 9 | |
9,847 | 412 | |
1.4% | 0.2% | |
8.3 | 5.0 | |
about 21 hours ago | 7 months ago | |
Java | C | |
Apache License 2.0 | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
jjwt
- Java JWT: JSON Web Token for Java and Android
-
A simple to use Java 8 JWT Library. Verify, Sign, Encode, Decode all day.
How does this compare to JJWT?
-
Null ECDSA Signatures - Proof of concept for bypassing JWT signature checks using CVE-2022-21449
Note that this PoC uses DER signature which is accepted by the jjwt library as fallback (see https://github.com/jwtk/jjwt/blob/master/impl/src/main/java/io/jsonwebtoken/impl/crypto/EllipticCurveSignatureValidator.java ), but that is not a standard. Standard is JOSE format.
-
JWT authentication in Spring Security and Angular
There are many open-source JWT implementations available for all languages. In this blog post, we use Java jjwt library in this blog post.
security-labs-pocs
-
Python install for non IT staff
Also to your point, interpreted languages are not as reliably detected by AV/NGAV/EDR/etc. from my experience. You could inquire with your EDR's technical reps or try downloading/running some existing malware written in Python in a disposable VM with your EDR installed and see if it gets picked up. Here are some real-world examples you could use, too: https://github.com/DataDog/security-labs-pocs/tree/main/malware-samples/pypi
- DataDog/security-labs-pocs: Proof of concept code for Datadog Security Labs referenced exploits. Now updated with a vulnerable environment to test out the new Confluence #CVE202226134 vulnerability. Handy.
- GitHub - DataDog/security-labs-pocs: Proof of concept code for Datadog Security Labs referenced exploits.
- Null ECDSA Signatures - Proof of concept for bypassing JWT signature checks using CVE-2022-21449
- Exploitation and Sample Vulnerable Application of the JWT Null Signature Vulnerability (CVE-2022-21449)
-
CVE-2022-21449
Arch as well but the point about responsible disclosure is for the majority of users to have the patch before the vulnerability and POC are published. And I'd bet most Java web things are running on one of the unpatched builds (like Ubuntu with its 10 year LTS).
- Exploitation and Sample Vulnerable Application of the JWT Null Signature Vulnerability (CVE-2022-21449) - not a real app, but fundament technique means it is only time
-
CVE-2022-21449: Psychic Signatures in Java
For anyone looking to reproduce the vulnerability with a sample vulnerable application, my team just released this to showcase it applied to bypass a JWT verification process: https://github.com/DataDog/security-labs-pocs/tree/main/proof-of-concept-exploits/jwt-null-signature-vulnerable-app
What are some alternatives?
jwt-java - JSON Web Token implementation for Java according to RFC 7519. Easily create, parse and validate JSON Web Tokens using a fluent API.
corretto-17 - Amazon Corretto 17 is a no-cost, multi-platform, production-ready distribution of OpenJDK 17
Nimbus JOSE+JWT - JSON Web Token (JWT) implementation for Java with support for signatures (JWS), encryption (JWE) and web keys (JWK).
adoptium
Spring Security - Spring Security
Bouncy Castle - Bouncy Castle Java Distribution (Mirror)
Keycloak - Open Source Identity and Access Management For Modern Applications and Services
java-jwt-benchmark - Project for benchmarking popular Json Web Token (JWT) frameworks for Java using JMH.
owasp-zap-jwt-addon - OWASP ZAP addon for finding vulnerabilities in JWT Implementations
java-jwt - Java implementation of JSON Web Token (JWT)
Apache Shiro - Apache Shiro
jose-jwt - Ultimate Javascript Object Signing and Encryption (JOSE), JSON Web Token (JWT) and Json Web Keys (JWK) Implementation for .NET and .NET Core