[
https://issues.apache.org/jira/browse/CXF-8435?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alonso Gonzalez updated CXF-8435:
---------------------------------
Description:
JsonMapObjectReaderWriter doesn't escape double quotes in JWT claim values. The
method "toJsonInternal" appends String values without any modifications/checks.
If the value of a claim contains double quotes, it's possible to manipulate the
generated JSON. This is especially problematic if user supplied values are
included.
I've added an example program where the expiration of a JWT is set to 5
minutes. The value of the claim "userInput" is set to
<<a","exp":9999999999,"b":"x>>.
JwsJwtCompactProducer (using JsonMapObjectReaderWriter) generates this JSON
body: \{"exp":1615227615,"additionalClaim":"a","exp":9999999999,"b":"x"}
If the parsing library (like CXF itself) overwrites duplicate claims, the last
occurence of a claim wins. This allows a malicious user to manipulate server
generated claims with his own values.
was:
JsonMapObjectReaderWriter doesn't escape double quotes in JWT claim values. The
method "toJsonInternal" appends String values without any modifications/checks.
If the value of a claim contains double quotes, it's possible to manipulate the
generated JSON. This is especially problematic if user supplied values are
included.
I've added an example program where the expiration of a JWT is set to 5
minutes. The value of the claim "userInput" is set to
<<a","exp":9999999999,"b":"x>>.
JwsJwtCompactProducer (using JsonMapObjectReaderWriter) generates this JSON
body: \{"exp":1615227615,"additionalClaim":"a","exp":9999999999,"b":"x"}
If the parsing library (like CXF itself) overwrites duplicate claims, the last
occurence of a claim wins.
> JsonMapObjectReaderWriter doesn't escape double quotes
> ------------------------------------------------------
>
> Key: CXF-8435
> URL: https://issues.apache.org/jira/browse/CXF-8435
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS
> Affects Versions: 3.4.1
> Reporter: Alonso Gonzalez
> Priority: Major
> Attachments: TestJson.java
>
>
> JsonMapObjectReaderWriter doesn't escape double quotes in JWT claim values.
> The method "toJsonInternal" appends String values without any
> modifications/checks.
>
> If the value of a claim contains double quotes, it's possible to manipulate
> the generated JSON. This is especially problematic if user supplied values
> are included.
>
> I've added an example program where the expiration of a JWT is set to 5
> minutes. The value of the claim "userInput" is set to
> <<a","exp":9999999999,"b":"x>>.
> JwsJwtCompactProducer (using JsonMapObjectReaderWriter) generates this JSON
> body: \{"exp":1615227615,"additionalClaim":"a","exp":9999999999,"b":"x"}
>
> If the parsing library (like CXF itself) overwrites duplicate claims, the
> last occurence of a claim wins. This allows a malicious user to manipulate
> server generated claims with his own values.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
