# JWT ### JWT Attacks #### Description JWT (JSON Web Token) attacks exploit vulnerabilities in the implementation or usage of JWTs, allowing attackers to forge tokens, manipulate claims, or perform other malicious actions. #### Example with Scenario **Scenario:** A web application uses JWTs for user authentication. An attacker can exploit weak signing algorithms or insecure storage to forge tokens and gain unauthorized access. #### Payloads and Test Cases **Payloads** 1. **None Algorithm Attack:** ```json { "alg": "none" } ``` 2. **Brute Force HMAC Secret:** ```json { "header": { "alg": "HS256", "typ": "JWT" }, "payload": { "user": "admin" }, "signature": "generated_signature" } ``` 3. **Claim Manipulation:** ```json { "header": { "alg": "HS256", "typ": "JWT" }, "payload": { "user": "attacker", "admin": true }, "signature": "generated_signature" } ``` **Test Cases** 1. **None Algorithm Attack:** * **Payload:** ```json { "alg": "none" } ``` * **Test Case:** ```python # Create a JWT with the 'none' algorithm jwtToken = createJWT({"alg": "none"}, {"user": "admin"}, "") # Send the token to the server sendJWTToServer(jwtToken) # Verify if the server accepts the token without validation checkAdminAccessGranted() ``` 2. **Brute Force HMAC Secret:** * **Payload:** ```json { "header": { "alg": "HS256", "typ": "JWT" }, "payload": { "user": "admin" }, "signature": "generated_signature" } ``` * **Test Case:** ```python # Generate a JWT with a known weak secret jwtToken = createJWT({"alg": "HS256"}, {"user": "admin"}, "weak_secret") # Send the token to the server sendJWTToServer(jwtToken) # Verify if the server accepts the token checkAdminAccessGranted() ``` 3. **Claim Manipulation:** * **Payload:** ```json { "header": { "alg": "HS256", "typ": "JWT" }, "payload": { "user": "attacker", "admin": true }, "signature": "generated_signature" } ``` * **Test Case:** ```python # Create a JWT with manipulated claims jwtToken = createJWT({"alg": "HS256"}, {"user": "attacker", "admin": True}, "valid_secret") # Send the token to the server sendJWTToServer(jwtToken) # Verify if the server grants admin access checkAdminAccessGranted() ``` #### Mitigation 1. **Use Strong Secrets:** * Use strong, random secrets for signing JWTs. * Avoid using weak or easily guessable secrets. 2. **Validate Tokens Properly:** * Always validate the token signature and claims. * Reject tokens with invalid or missing signatures. 3. **Enforce Algorithm Constraints:** * Enforce the use of secure algorithms (e.g., HS256, RS256). * Reject tokens with the 'none' algorithm or other weak algorithms. 4. **Secure Token Storage:** * Store JWTs securely on the client side (e.g., HTTP-only cookies). * Avoid storing tokens in local storage or other insecure places. 5. **Implement Expiry and Revocation:** * Implement token expiry and refresh mechanisms. * Provide a way to revoke tokens when necessary. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://playbook.sidthoviti.com/web-app-pentesting/jwt.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.