CVE-2022-21449

Java implementation of JSON Web Token (JWT)

Note As part of our ongoing commitment to best security practices, we have rotated the signing keys used to sign previous releases of this SDK As a result, new patch builds have been released using the new signing key Please upgrade at your earliest convenience While this change won't affect most developers, if you have implemented a dependency signature validation step

This repository contains information, labs, and proof of concept

Proof-of-Concept labs This repository contains information, labs, and proof of concept for known vulnerabilities Sample Vulnerable Application of the JWT Null Signature A sample web application vulnerable to CVE-2022-21449 Sample Vulnerable Memcached flask application A sample web application vulnerable to Memcached injections

Demos the Psychic Signatures vulnerability (CVE-2022-21449)

CVE-2022-21449: Psychic Signatures in Java

yara-rules CVE CVE-2022-21449

Test tool to demonstrate the vulnerability of CVE-2022-21449

SignChecker Test tool to demonstrate the vulnerability of CVE-2022-21449

CVE-2022-21449 Vulnerability tester

CVE-2022-21449 Vulnerability tester Introduction There's a new CVE-2022-21449 that had bug in ECDSA signature verification It's one of the algorithms used with JWT for example Citing the blog post If you have deployed Java 15, Java 16, Java 17, or Java 18 in production then you should stop what you are doing and immediately update to install the fixes in the April

CVE-2022-21449 Overview This tool allows to perform a quick scan of compiled code archives (jar, war etc) in order to check for vulnerability to CVE-2022-21449 by looking for the string indicating the use of ECDSA algorithm The tool uses Python3 with no additional prerequisites Usage python cve_2022_21449py root-folder [-quiet] [-exclude folder1 folder2 ]

JWT-ATTACK JWT attacks go to attacks, Skip Introduction Sources, Credits: PortSwigger Bug Bounty Bootcamp by Vickie Li PentesterLab Notes Headers Style: header 1 ⇒ header 2 → header 3 What is JSON Web Tokens (JWT) JSON web tokens (JWTs) are a standardized format for sending cryptographically signed JSON data between systems They can theoretically cont

Books Applied Cryptography (Bruce Schneier) Introduction to Modern Cryptography: Principles and Protocols (Jonathan Katz & Yehuda Lindell) Real-World Cryptography (David Wong) The Joy of Cryptography (Mike Rosulek) Courses Cryptography I | Stanford Online Cryptography II | Stanford Online Crypto Attacks and Vulnerabilities AES Cache-timing attacks on AES - Daniel J

CVE-2022-21449 Proof of Concept demonstrating its usage with a client running on a vulnerable Java version and a malicious TLS server

CVE-2022-21449-TLS-PoC CVE-2022-21449 (also dubbed Psychic Signatures in the vulnerability writeup by Neil Madden) Proof of Concept demonstrating its usage with a vulnerable client and a malicious TLS server The malicious server presents a valid (as of 2022-04-20) cert chain for wwwgooglecom which has an ECDSA pub key (secp256r1) However, the crypto/ecdsa package has been m

📚 Documentation - 🚀 Getting Started - 💻 API Reference 💬 Feedback Documentation Examples - code samples for common java-jwt scenarios Docs site - explore our docs site and learn more about Auth0 Getting Started Requirements This library is supported for Java LTS versions 8, 11, and 17 For issues on non-LTS versions above 8, consideration will be given on a case-

Server-side Web Authentication library for Java https://www.w3.org/TR/webauthn/#rp-operations

java-webauthn-server Server-side Web Authentication library for Java Provides implementations of the Relying Party operations required for a server to support Web Authentication, including passkey authentication Warning Psychic signatures in Java In April 2022, CVE-2022-21449 was disclosed in Oracle’s OpenJDK (and other JVMs derived from it) which can im

Demo program to showcase CVE-2022-21449 Pls run with JDK 1700 O yeah here is screenshot

Learn250 Join me on my journey of learning for 250 days! It'll be indeed a fun challenge and we'll learn various things together Not only that, it will help me keep myself organized, motivated and focused ;) Day Topic 1 HTTP Request Smuggling on businessapplecom and Others - Writeup 2 A strategy to land your first pentest job - BlogAndroid Pentesting Se

Java implementation of JSON Web Token (JWT)

Note As part of our ongoing commitment to best security practices, we have rotated the signing keys used to sign previous releases of this SDK As a result, new patch builds have been released using the new signing key Please upgrade at your earliest convenience While this change won't affect most developers, if you have implemented a dependency signature validation step

java-webauthn-server Server-side Web Authentication library for Java Provides implementations of the Relying Party operations required for a server to support Web Authentication This includes registering authenticators and authenticating registered authenticators Warning Psychic signatures in Java In April 2022, CVE-2022-21449 was disclosed in Oracle’s

repo showcasing generating "psychic signatures for java" implemented in a nodejs environment 😅

CVE-2022-21449 repo showcasing generation of a base64 signature for applications that are vulnerable to "psychic signatures in java", implemented in a nodejs environment 😅 Before running make sure to install the modified fork of elliptic from githubcom/davwwwx/elliptic $ npm install Generate the signature $ node index

A Burp Suite extension for creating and editing JSON Web Tokens. This tool supports signing and verification of JWS, encryption and decryption of JWE and automation of several well-known attacks against applications that consume JWT.

JWT Editor JWT Editor is a Burp Suite extension which aims to be a Swiss Army Knife for manipulating JSON Web Tokens (JWTs) within Burp Suite It provides detection of JWTs within both HTTP and WebSocket messages and allows for their editing, signing, verifying, encryption and decryption Additionally it facilitates several well-known attacks against JWT implementations Overvi

JWT-attacker Burp Extension

JWT-attacker - Burp Extension Description JWT Attacker is a Burp Suite extension for automated testing of JSON Web Token (JWT) implementations of web applications Checks Signature presence Invalid signatures Signatures with empty passwords Usage of algorithm none variations Invalid ECDSA parameters (CVE-2022-21449) JWT JWK injection Features Select base request and autodete

Java-JWT Securely Encrypts JSON Data for Secure Transmission and Network Security

Custom Java-based (JWT) JSON Web Token security verification - 中文文档 Documentation JWT (JSON Web Token) is an open standard based on JSON for securely transmitting information between web applications It contains three parts: header, payload and signature, and uses digital signature or message authentication code to verify the integrity and authenticity of the inf

Zeek script to detect exploitation attempts of CVE-2022-21449 targeting TLS clients

CVE-2022-21449 Zeek script to detect exploitation attempts of CVE-2022-21449 targeting TLS clients Only works for TLS 12 and below Install zkg install githubcom/thack1/CVE-2022-21449 Run Run against supplied pcap file: $ zeek -Cr pcaps/CVE-2022-21449pcap CVE-2022-21449 Example Notices #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path

Java-JWT Securely Encrypts JSON Data for Secure Transmission and Network Security

Custom Java-based (JWT) JSON Web Token security verification - 中文文档 Documentation JWT (JSON Web Token) is an open standard based on JSON for securely transmitting information between web applications It contains three parts: header, payload and signature, and uses digital signature or message authentication code to verify the integrity and authenticity of the inf

CVE 2022 21449 python implementation Ce projet permet de : Tracer une courbe elliptique aux paramètres voulus, sur un corps fini ou non Générer une paire de clé à partir d'une courbe elliptique donnée Crypter / Décrypter un message par ECIES Le signer / vérifier en utilisant ECDSA Simuler une exploitation de la CVE 2

JWT-scanner Burp Extension

JWT-scanner - Burp Extension Description JWT Scanner is a Burp Suite extension for automated testing of Jason Web Token (JWT) implementations of web applications Checks Signature presence Invalid signatures Signatures with empty passwords Usage of algorithm none variations Invalid ECDSA parameters (CVE-2022-21449) JWT JWK injection Features Select base request and autodetec