Proxied invalid JWTs not detected
DolphFlynn opened this issue · comments
JWT detection within the IHttpListener implementation in BurpExtender uses Utils.extractJOSEObjects(), which in turn delegates to Nimbus' JWSObject.parse() method. The latter will only detect valid JWTs. E.g. it will not detect tokens with the none algorithm.
Assuming that Burp is proxying on localhost 8080 then the token within:
curl -k -H "Authorization: Bearer eyJraWQiOiI5MTM2ZGRiMy1jYjBhLTRhMTktYTA3ZS1lYWRmNWE0NGM4YjUiLCJhbGciOiJub25lIn0.eyJuYW1lIjoiVGVzdCIsImlhdCI6MTUxNjIzOTAyMn0." -x http://localhost:8080 https://hackxor.net
will not be detected.
One solution would be to use a regex to detect a JWT. It would be interesting to highlight differently any tokens that this method detects that Nimbus rejects.
Thanks for the issue report.
I think we do need to switch to a different approach for parsing here, as tokens that don't match the spec should still be editable to allow testing of broken JWT implementations. This will be the cause of #13 too, as the token is being invalidated (as far as Nimbus is concerned) when we change the alg to none.
We can probably use these criteria to match token headers and payloads and select them for editing:
- Matches a regex for unpadded URL-safe base64
- Base64 decodes to a valid UTF-8 string
- UTF-8 string successfully parses as a JSON object
That should be enough to match tokens that are correctly formed, but otherwise invalid.