You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Alonso Gonzalez (Jira)" <ji...@apache.org> on 2021/05/16 16:43:00 UTC
[jira] [Updated] (CXF-8435) JsonMapObjectReaderWriter doesn't
escape double quotes
[ https://issues.apache.org/jira/browse/CXF-8435?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alonso Gonzalez updated CXF-8435:
---------------------------------
Description:
JsonMapObjectReaderWriter doesn't escape double quotes in JWT claim values. The method "toJsonInternal" appends String values without any modifications/checks.
If the value of a claim contains double quotes, it's possible to manipulate the generated JSON. This is especially problematic if user supplied values are included.
I've added an example program where the expiration of a JWT is set to 5 minutes. The value of the claim "userInput" is set to <<a","exp":9999999999,"b":"x>>.
JwsJwtCompactProducer (using JsonMapObjectReaderWriter) generates this JSON body: \{"exp":1615227615,"userInput":"a","exp":9999999999,"b":"x"}
If the parsing library (like CXF itself) overwrites duplicate claims, the last occurence of a claim wins. This allows a malicious user to manipulate server generated claims with his own values.
was:
JsonMapObjectReaderWriter doesn't escape double quotes in JWT claim values. The method "toJsonInternal" appends String values without any modifications/checks.
If the value of a claim contains double quotes, it's possible to manipulate the generated JSON. This is especially problematic if user supplied values are included.
I've added an example program where the expiration of a JWT is set to 5 minutes. The value of the claim "userInput" is set to <<a","exp":9999999999,"b":"x>>.
JwsJwtCompactProducer (using JsonMapObjectReaderWriter) generates this JSON body: \{"exp":1615227615,"additionalClaim":"a","exp":9999999999,"b":"x"}
If the parsing library (like CXF itself) overwrites duplicate claims, the last occurence of a claim wins. This allows a malicious user to manipulate server generated claims with his own values.
> JsonMapObjectReaderWriter doesn't escape double quotes
> ------------------------------------------------------
>
> Key: CXF-8435
> URL: https://issues.apache.org/jira/browse/CXF-8435
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS
> Affects Versions: 3.4.1
> Reporter: Alonso Gonzalez
> Priority: Major
> Attachments: TestJson.java
>
>
> JsonMapObjectReaderWriter doesn't escape double quotes in JWT claim values. The method "toJsonInternal" appends String values without any modifications/checks.
>
> If the value of a claim contains double quotes, it's possible to manipulate the generated JSON. This is especially problematic if user supplied values are included.
>
> I've added an example program where the expiration of a JWT is set to 5 minutes. The value of the claim "userInput" is set to <<a","exp":9999999999,"b":"x>>.
> JwsJwtCompactProducer (using JsonMapObjectReaderWriter) generates this JSON body: \{"exp":1615227615,"userInput":"a","exp":9999999999,"b":"x"}
>
> If the parsing library (like CXF itself) overwrites duplicate claims, the last occurence of a claim wins. This allows a malicious user to manipulate server generated claims with his own values.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)