For Educational Purposes Only! Intended for
Co-authored with MariA Karpliuk !
Issue
The algorithm HS256 uses the secret key to sign and verify each message. The algorithm RS256 uses the private key to sign the message and uses the public key for authentication.
If you change the algorithm from RS256 to HS256, the backend code uses the public key as the secret key and then uses the HS256 algorithm to verify the signature. Asymmetric Cipher Algorithm => Symmetric Cipher Algorithm.
Because the public key can sometimes be obtained by the attacker, the attacker can modify the algorithm in the header to HS256 and then use the RSA public key to sign the data.
The backend code uses the RSA public key + HS256 algorithm for signature verification.
Example
Vulnerability appear when client side validation looks like this:
const decoded = jwt.verify(
token,
publickRSAKey,
{ algorithms: ['HS256' , 'RS256'] } //accepted both algorithms
)
Lets assume we have initial token like presented below and " => " will explain modification that attacker can make:
//header
{
alg: 'RS256' => 'HS256'
}
//payload
{
sub: '123',
name: 'Ivan Prychantovskyi',
admin: 'false' => 'true'
}
The backend code uses the public key as the secret key and then uses the HS256 algorithm to verify the signature.