FixVibe
Covered by FixVibehigh

JWT Ukuphepha: Izingozi Zamathokheni Angavikelekile kanye Nokuqinisekiswa Kwesimangalo Okungekho

I-JSON Web Tokens (JWTs) ihlinzeka ngezinga lokudlulisa izimangalo, kodwa ukuvikeleka kuncike ekuqinisekisweni okuqinile. Ukwehluleka ukuqinisekisa amasiginesha, izikhathi zokuphelelwa yisikhathi, noma izethameli ezihlosiwe kuvumela abahlaseli ukuthi bakweqe ukuqinisekiswa noma ukudlala kabusha amathokheni.

CWE-347CWE-287CWE-613

Umthelela Womhlaseli

Ukuqinisekisa okungalungile kwe-JWT kuvumela abahlaseli ukuthi badlule izindlela zokuqinisekisa ngokukhohlisa izimangalo noma ukusebenzisa kabusha amathokheni aphelelwe yisikhathi [S1]. Uma iseva yamukela amathokheni ngaphandle kwesiginesha evumelekile, umhlaseli angashintsha ukulayishwa kwenkokhelo ukuze akhulise amalungelo noma azenze noma yimuphi umsebenzisi [S1]. Ngaphezu kwalokho, ukwehluleka ukuphoqelela isimangalo sokuphelelwa yisikhathi (exp) kuvumela umhlaseli ukuthi asebenzise ithokheni eyonakalisiwe unomphela [S1].

Imbangela

I-JSON Web Token (JWT) iwuhlaka olususelwa ku-JSON olusetshenziselwa ukumela izimangalo ezisayinwe ngedijithali noma ezivikelwe ubuqotho [S1]. Ukwehluleka kokuvikeleka kuvame ukuvela ezikhaleni ezimbili eziyinhloko zokuqaliswa:

  • Ukwamukelwa kwama-JWT Angavikelekile: Uma isevisi ingakuphoqeleli ngokuqinile ukuqinisekiswa kwesiginesha, ingase icubungule "Ama-JWT Angavikelekile" lapho isiginesha ingekho khona futhi i-algorithm isethwe kokuthi "none" [S1]. Kulesi simo, iseva ithemba izimangalo ekukhokheni ngaphandle kokuqinisekisa ubuqotho bazo [S1].
  • Ukuqinisekisa Isimangalo Okungekho: Isimangalo se-exp (isikhathi sokuphelelwa yisikhathi) sikhomba isikhathi noma ngemva kwalokho i-JWT akumele yamukelwe ukuze kucutshungulwe i-[S1]. Isimangalo se-aud (izethameli) sihlonza abamukeli abahlosiwe bethokheni ethi [S1]. Uma lokhu kungahloliwe, iseva ingase yamukele amathokheni aphelelwe yisikhathi noma abehloselwe uhlelo lokusebenza oluhlukile [S1].

Ukulungiswa kukakhonkolo

  • Sebenzisa amasiginesha e-Cryptographic: Lungiselela uhlelo lokusebenza ukuze wenqabe noma iyiphi i-JWT engasebenzisi i-algorithm egunyazwe ngaphambili, eqinile yokusayina (efana ne-RS256).
  • Qinisekisa Ukuphelelwa Isikhathi: Sebenzisa ukuhlola okuyisibopho ukuze uqinisekise ukuthi idethi yamanje nesikhathi kungaphambi kwesikhathi esishiwo exp [S1].
  • Qinisekisa Izithameli: Qinisekisa ukuthi isimangalo se-aud siqukethe inani elihlonza isevisi yendawo; uma isevisi ingakhonjwanga kusimangalo se-aud, ithokheni kufanele yenqatshwe [S1].
  • Vimbela ukudlalwa kabusha: Sebenzisa isimangalo se-jti (JWT ID) ukuze unikeze isihlonzi esiyingqayizivele kuthokheni ngayinye, okuvumela iseva ukuthi ilandelele futhi yenqabe amathokheni asetshenziswe kabusha [S1].

Isu Lokuthola

Ubungozi ekuphathweni kwe-JWT bungabonakala ngokuhlaziya ukwakheka kwethokheni nokuziphatha kweseva:

  • Ukuhlolwa Kwesihloko: Ihlola unhlokweni we-alg (i-algorithm) ukuze kuqinisekiswe ukuthi ayisethiwe kokuthi "akekho" futhi isebenzisa izindinganiso ezilindelwe ze-cryptographic [S1].
  • Mangalela Ukuqinisekisa: Ukuqinisekisa ubukhona nokufaneleka kwezimangalo ze-exp (ukuphelelwa yisikhathi) kanye ne-aud (izethameli) phakathi kokukhokhelwa kwe-JSON [S1].
  • Ukuhlola Ukuqinisekisa: Ukuhlola ukuthi ingabe iseva iwanqaba kahle yini amathokheni aphelelwe yisikhathi ngokuvumelana nesimangalo se-exp noma ahloselwe izethameli ezihlukile njengoba kuchazwe isimangalo se-aud [S1].