Null ECDSA Signatures - Proof of concept for bypassing JWT signature checks using CVE-2022-21449

This page summarizes the projects mentioned and recommended in the original post on /r/netsec

Our great sponsors
  • WorkOS - The modern identity platform for B2B SaaS
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • SaaSHub - Software Alternatives and Reviews
  • security-labs-pocs

    Proof of concept code for Datadog Security Labs referenced exploits.

  • jjwt

    Java JWT: JSON Web Token for Java and Android

    Note that this PoC uses DER signature which is accepted by the jjwt library as fallback (see https://github.com/jwtk/jjwt/blob/master/impl/src/main/java/io/jsonwebtoken/impl/crypto/EllipticCurveSignatureValidator.java ), but that is not a standard. Standard is JOSE format.

  • WorkOS

    The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts