mirror of
https://github.com/0xMarcio/cve.git
synced 2025-11-28 18:48:49 +00:00
1.2 KiB
1.2 KiB
CVE-2015-9235
&color=brighgreen)
Description
In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).
POC
Reference
No PoCs from references.
Github
- https://github.com/ARPSyndicate/cvemon
- https://github.com/MR-SS/challenge
- https://github.com/Nucleware/powershell-jwt
- https://github.com/WinDyAlphA/CVE-2015-9235_JWT_key_confusion
- https://github.com/aalex954/jwt-key-confusion-poc
- https://github.com/armor-code/acsdk
- https://github.com/capstone-cy-team-1/vuln-web-app
- https://github.com/mxcezl/JWT-SecLabs
- https://github.com/phramz/tc2022-jwt101
- https://github.com/vivekghinaiya/JWT_hacking