JWT

JWT Attacks

Description

JWT (JSON Web Token) attacks exploit vulnerabilities in the implementation or usage of JWTs, allowing attackers to forge tokens, manipulate claims, or perform other malicious actions.

Example with Scenario

Scenario: A web application uses JWTs for user authentication. An attacker can exploit weak signing algorithms or insecure storage to forge tokens and gain unauthorized access.

Payloads and Test Cases

Payloads

None Algorithm Attack:
```
{
  "alg": "none"
}
```

Brute Force HMAC Secret:

{
  "header": {
    "alg": "HS256",
    "typ": "JWT"
  },
  "payload": {
    "user": "admin"
  },
  "signature": "generated_signature"
}

Claim Manipulation:

{
  "header": {
    "alg": "HS256",
    "typ": "JWT"
  },
  "payload": {
    "user": "attacker",
    "admin": true
  },
  "signature": "generated_signature"
}

Test Cases

None Algorithm Attack:

Payload:
```
{
  "alg": "none"
}
```

Test Case:

# Create a JWT with the 'none' algorithm
jwtToken = createJWT({"alg": "none"}, {"user": "admin"}, "")
# Send the token to the server
sendJWTToServer(jwtToken)
# Verify if the server accepts the token without validation
checkAdminAccessGranted()

Brute Force HMAC Secret:

Payload:

{
  "header": {
    "alg": "HS256",
    "typ": "JWT"
  },
  "payload": {
    "user": "admin"
  },
  "signature": "generated_signature"
}

Test Case:

# Generate a JWT with a known weak secret
jwtToken = createJWT({"alg": "HS256"}, {"user": "admin"}, "weak_secret")
# Send the token to the server
sendJWTToServer(jwtToken)
# Verify if the server accepts the token
checkAdminAccessGranted()

Claim Manipulation:

Payload:

{
  "header": {
    "alg": "HS256",
    "typ": "JWT"
  },
  "payload": {
    "user": "attacker",
    "admin": true
  },
  "signature": "generated_signature"
}

Test Case:

# Create a JWT with manipulated claims
jwtToken = createJWT({"alg": "HS256"}, {"user": "attacker", "admin": True}, "valid_secret")
# Send the token to the server
sendJWTToServer(jwtToken)
# Verify if the server grants admin access
checkAdminAccessGranted()

Mitigation

Use Strong Secrets:
- Use strong, random secrets for signing JWTs.
- Avoid using weak or easily guessable secrets.
Validate Tokens Properly:
- Always validate the token signature and claims.
- Reject tokens with invalid or missing signatures.
Enforce Algorithm Constraints:
- Enforce the use of secure algorithms (e.g., HS256, RS256).
- Reject tokens with the 'none' algorithm or other weak algorithms.
Secure Token Storage:
- Store JWTs securely on the client side (e.g., HTTP-only cookies).
- Avoid storing tokens in local storage or other insecure places.
Implement Expiry and Revocation:
- Implement token expiry and refresh mechanisms.
- Provide a way to revoke tokens when necessary.

PreviousXPath Injection NextParameter Pollution

Last updated 10 months ago

# Create a JWT with the 'none' algorithm jwtToken = createJWT({"alg": "none"}, {"user": "admin"}, "") # Send the token to the server sendJWTToServer(jwtToken) # Verify if the server accepts the token without validation checkAdminAccessGranted()

# Generate a JWT with a known weak secret jwtToken = createJWT({"alg": "HS256"}, {"user": "admin"}, "weak_secret") # Send the token to the server sendJWTToServer(jwtToken) # Verify if the server accepts the token checkAdminAccessGranted()

# Create a JWT with manipulated claims jwtToken = createJWT({"alg": "HS256"}, {"user": "attacker", "admin": True}, "valid_secret") # Send the token to the server sendJWTToServer(jwtToken) # Verify if the server grants admin access checkAdminAccessGranted()