JWT attacks
JSON Web Token is a proposed Internet standard for creating data with optional signature and/or optional encryption whose payload holds JSON that asserts some number of claims. The tokens are signed either using a private secret or a public/private key.
-- Wikipedia
Vulnerabilities
Signature is not verified
Accepting tokens w/o signature
Secret keys
Public available keys
Sometimes developers don't change default keys or use keys from code snippets copied from the internet. A comprehensive list of such keys can be found here: GitHub - jwt-secrets - public-available JWT secrets.
Brute-forcing keys
Header parameter injection
If the app supports one of the following (optional) JWT header parameters, you may be able to use your own key for signature validation instead of the server one.
jwk(JSON Web Key): Embedded keyjku(JSON Web Key Set URL): URL, to fetch the key fromkid(Key ID): Specify the key (via ID), if multiple keys are available
Injecting self signed JWTs
Via jwk parameter (Burp Suite)
JWT Editor Keys: Generate new RSA key
Burp Repeater: Modify token
"Attack", use "Embedded JWK"
Select generated key (from above)
Via jku parameter
Generate a new key (e.g. using Burp Suite -> JWT Editor Keys).
Host that key in a json file somewhere.
Reference it in JWT header.
Modify and sign the token.
Via kid parameter
If the kid parameter is vulnerable to directory traversal, using /dev/null (present on most linux systems) and then also signing the JWT with a null-byte leads to a valid signature.
Key used for signature (AA== is a base64 encoded null-byte):
JWT header:
Other interesting JWT header parameters
See PortSwigger - Web Security Academy - JWT attacks - Other interesting JWT header parameters.
Last updated