Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security: TokenProvider vulnerable to timing attacks #2095

Closed
ghost opened this issue Oct 6, 2015 · 6 comments · Fixed by #2096
Closed

Security: TokenProvider vulnerable to timing attacks #2095

ghost opened this issue Oct 6, 2015 · 6 comments · Fixed by #2096
Milestone

Comments

@ghost
Copy link

ghost commented Oct 6, 2015

The TokenProvider uses String.equals(str) to compare the given token-signature with a calculated one. This method uses a break-on-inequality algorithm. This makes the TokenProvider vulnerable to timing attacks, where an attacker can forge a token with any username more easily than using brute force.

Coda Hale did a nice blog post on this topic

@jdubois
Copy link
Member

jdubois commented Oct 6, 2015

Impressive. I knew about them, and I didn't think we were vulnerable to them.
I didn't write that code but I reviewed it quite carefully, and now you find this!! That's the great thing about JHipster, so many people working together.

Maybe we should also check for OAuth2, and for the standard Spring Security authentication mechanism. @rwinch have you already checked this in Spring Security?

@rwinch
Copy link

rwinch commented Oct 6, 2015

@jdubois Thanks for calling this to my attention.

Spring Security / Spring Security OAuth either uses

UPDATE

If any security vulnerabilities are found within Spring Security (or Spring in general). Then please report, to security@pivotal.io as outlined at http://pivotal.io/security or ensure to select the Security Level attribute with the value of Assignee and Reporter when reporting in JIRA.

@jdubois
Copy link
Member

jdubois commented Oct 6, 2015

I thought I knew Spring Security quite well, and now I see goes way beyond what I imagined!!

By the way I should check the JWT support from Spring Security: I didn't know about this, it's probably better than our own custom-made solution.

@pnreddysvu
Copy link

There are few examples if you want to use JWT. Migrating to JWT also solves websocket authentication issue as well. See the below examples for reference.
https://github.com/auth0/socketio-jwt
https://github.com/nielsutrecht/jwt-angular-spring

@jdubois
Copy link
Member

jdubois commented Oct 7, 2015

Thanks @pnreddysvu -> I'll add a new ticket to migrate to JWT

@jdubois
Copy link
Member

jdubois commented Oct 7, 2015

Oh, and if we migrate to JWT, then we might not have to merge this PR -> I'm putting this on hold, until we have a closer look at JWT

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants