signing-oracle
Signing Oracle
A signing oracle vulnerability occurs when an application provides a feature that signs user-controlled data using a secret key.
This signed output can later be reused by an attacker to bypass authorization controls. In many modern web applications, sensitive data such as user roles, session tokens, or object identifiers are protected by digital signatures. The main assumption is that without the secret key, it should be impossible to forge or modify these values. However, if the application exposes a functionality that signs arbitrary user input, it unintentionally acts as an oracle. Attackers can use this oracle to generate valid signatures for malicious data and gain unauthorized access.
Concept
If the web application uses the same signing method and secret key in multiple parts of the system. One part allows users to submit data that gets signed (for example, generating tokens for legitimate operations). Another part verifies signed data before granting access to restricted resources.
Because both functionalities rely on the same secret, the attacker can:
- Provide controlled input to the signing feature.
- Obtain a valid signature.
- Reuse this signature in another feature that checks authorization.
This creates a situation similar to Insecure Direct Object Reference (IDOR), where attackers manipulate object identifiers but in a signed format.
Exploitation Process
The general steps involved in exploiting a signing oracle are:
- Identify the signing functionality that accepts user input and returns signed data.
- Understand the data structure being signed (e.g., JSON, parameters, or encoded values).
- Modify the input to include sensitive values such as:
- Admin roles
- Different user IDs
- Unauthorized resources
- Use the signing oracle to generate a valid signature.
- Submit the signed malicious data to another endpoint that trusts the signature.
Since the application verifies only the signature and not the logic behind the data, the attacker gains access to restricted resources.