What is JWT ?
JWT, or JSON Web Token, is an open standard (RFC 7519) used to exchange security information between a client and a server. Due to its popularity, JWT attacks are one of of the most exploited vulnerability by attackers. Each JWT contains base64 encoded JSON objects. A cryptographic algorithm is used to sign JWT tokens to ensure the token’s integrity and protect against JWT attacks. Our researcher has covered this in depth in his blog titled Web Security Researchers, Learn All You Can About Broken Authentication Flaws.
JWT structure
JSON web tokens consist of three parts separated by dots (.) which are:
- Header
- Payload
- Signature
Header consists of two parts; the type of token and the signature being used.
{
“alg”:”HS256”,
“type”:”JWT”
}
The payload contains information about the user and additional entity attributes, called claims. A sample payload would look like:
{ "uid": "1337", "name": "John Doe", "isAdmin": true }
The signature part is created by taking the encoded header, the encoded payload, a secret, and signing them with the algorithm mentioned in the header.
If HMAC SHA256 algorithm is to be used, the signature will be created in the following way:
HMACSHA256(base64UrlEncoded(header)+”.”+base64UrlEncoded(payload), secret)
Finally, the JWT token is compiled by joining base64URL encoded header, payload, and the signature with dots. A typical JWT will look like:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1aWQiOiIxMzM3IiwibmFtZSI6IkpvaG4gRG9lIiwiaXNBZG1pbiI6InRydWUifQ.sUV1I_A8AuB-D1EVy3_LSlfG2kCysERFKLUX7pej5Eo
JWT attacks in the wild
-
Change to ‘NONE’
JWT supports “none” value in alg field for debugging purpose. If this field is set to “none”, any token will be considered valid, provided signature is empty. This allows attackers to forge the token and set field values according to their requirement.
-
JWT token expiration
The “exp” payload in JWT is used to check the expiry. If a token doesn’t expire, it is possible that an attacker can masquerade as the victim if they are somehow able to steal the token.
For this, capture a JWT token and try to use it after the token has expired. If the application still accepts it, this is a security issue.
-
HMAC algorithm
HMAC and RSA are two most common algorithms used in JWT . HMAC works on the principle of symmetric encryption while RSA used assymetric encryption. To preserve integrity, the secrecy of secret key in HMAC and private key in RSA must be maintained.
Now, suppose a token was signed with RSA private key and verfied using RSA public key. An attacker might change the alg to HMAC and use the public RSA key to sign the forged token. If the application still verifies it using the public RSA key, we have successfully tampered the token.
-
Brute-forcing JWT token
It is also possible to brute force the JWT token if a weak secret key is used. Upon successful brute force, we can use the obtained secret to sign the token again using jwt.io with forged input. JWT-cracker can be used to crack the token.
Usage: “jwt-cracker “`
-
Improper signature verification
Sometimes the developer can ignore signature verification i.e the signature is never verified at the backend. This way, an attacker can provide any random token with forged values to bypass the authentication mechanism.
-
Automate it all
JWT-tool is a great starter to check for all issues at once just by running few commands. Just run
python3 jwt_tool.py -M at -t "https://vitcim.com/api/v1/user/id" -rh "Authorization: Bearer eyJhbG...<JWT Token>"
and wait for the results.
-
Directory traversal
The KID is an optional header in JWT, which allows the developers to specify which key is to be used for verification of the token. This is how the KID parameter looks like in a JWT :
{
"alg" : "HS256",
"typ" : "JWT",
"kid" : "123"
}
The KID provides the location of key file on the file system, improper sanitization before use can lead to directory traversal attacks. When this is the case, the attacker would be able to specify any file in the file system as the key to be used to verify the token. In worst case, the attacker will able to use any key in the file file system for the verification of token.
-
SQL Injection
Since the KID field can be provided by the user, it paves the way for a number of injection attacks. It can lead to SQL injection if the KID is being fetched from the database. Attacker can use the following payload :
“kid”: "invalid-key' UNION SELECT 'attackers-key';--".
Since the database does not contain invalid-key, the token will now be verified using the attackers-key.
These are some of the common attacks in JWT authentication. Payatu maintains a series of blogs on different topics related to information security. Visit Payatu blogs to read more.
-
JKU header tampering
In the JWT header, jku parameter can also be used by developers to specify the JSON Web Key Set URL. This parameter points to an endpoint, where the JSON Web Key (JWK) used to verify the signature is located. Let us understand this by using an example:
{
"alg": "RS256",
"typ": "JWT",
"jku":"https://key-server.com/key.json"
}.
{
"user_name": "john.doe",
"is_admin": false
}
An attacker can replace the jku parameter value with their own JWK instead of the valid one. If there are no proper checks, this gives an attacker permission to sign malicious tokens using their own private key. Once the malicious token is sent, the application will verify it using the attacker’s JWK.
These are some of the common attacks in JWT authentication. Payatu maintains a series of blogs on different topics related to information security. Visit Payatu blogs to read more.
References
https://book.hacktricks.xyz/pentesting-web/hacking-jwt-json-web-tokens
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwt-bcp-07
https://github.com/lmammino/jwt-cracker
https://github.com/ticarpi/jwt_tool
About payatu
Payatu is a research-powered, CERT-In empaneled cybersecurity consulting company specializing in security assessments of IoT product ecosystem, Web application & Network with a proven track record of securing applications and infrastructure for customers across 20+ countries.
Want to check the security posture of your organization? Browse through Payatu’s Service and get started with the most effective cybersecurity assessments.
