JWT attack vulnerabilities in Web App Penetration Testing | 2023
In this section, we’ll explain what an JWT Attack is, describe some types, explain how to find and exploit JWT, and summarize how to prevent from JWT | Karthikeyan Nagaraj
What are JWTs?
JSON web tokens (JWTs) are a standardized format for sending cryptographically signed JSON data between systems. They can theoretically contain any kind of data, but are most commonly used to send information (“claims”) about users as part of authentication, session handling, and access control mechanisms.
Unlike with classic session tokens, all of the data that a server needs is stored client-side within the JWT itself. This makes JWTs a popular choice for highly distributed websites where users need to interact seamlessly with multiple back-end servers.
A JWT consists of 3 parts: a header, a payload, and a signature. These are each separated by a dot, as shown in the following example:
The header and payload parts of a JWT are just base64url-encoded JSON objects. The header contains metadata about the token itself, while the payload contains the actual “claims” about the user. For example, you can decode the payload from the token above to reveal the following claims:
"name": "Carlos Montoya",
In most cases, this data can be easily read or modified by anyone with access to the token. Therefore, the security of any JWT-based mechanism is heavily reliant on the cryptographic signature.
The server that issues the token typically generates the signature by hashing the header and payload. In some cases, they also encrypt the resulting hash. Either way, this process involves a secret signing key. This mechanism provides a way for servers to verify that none of the data within the token has been tampered with since it was issued:
- As the signature is directly derived from the rest of the token, changing a single byte of the header or payload results in a mismatched signature.
- Without knowing the server’s secret signing key, it shouldn’t be possible to generate the correct signature for a given header or payload.
JWT vs JWS vs JWE
The JWT specification is actually very limited. It only defines a format for representing information (“claims”) as a JSON object that can be transferred between two parties. In practice, JWTs aren’t really used as a standalone entity. The JWT spec is extended by both the JSON Web Signature (JWS) and JSON Web Encryption (JWE) specifications, which define concrete ways of actually implementing JWTs.
In other words, a JWT is usually either a JWS or JWE token. When people use the term “JWT”, they almost always mean a JWS token. JWEs are very similar, except that the actual contents of the token are encrypted rather than just encoded.
What are JWT attacks?
JWT attacks involve a user sending modified JWTs to the server in order to achieve a malicious goal. Typically, this goal is to bypass authentication and access controls by impersonating another user who has already been authenticated.
What is the impact of JWT attacks?
The impact of JWT attacks is usually severe. If an attacker is able to create their own valid tokens with arbitrary values, they may be able to escalate their own privileges or impersonate other users, taking full control of their accounts.
How do vulnerabilities to JWT attacks arise?
- JWT vulnerabilities typically arise due to flawed JWT handling within the application itself.
- The various specifications related to JWTs are relatively flexible by design, allowing website developers to decide many implementation details for themselves. This can result in them accidentally introducing vulnerabilities even when using battle-hardened libraries.
- These implementation flaws usually mean that the signature of the JWT is not verified properly.
- This enables an attacker to tamper with the values passed to the application via the token’s payload.
- Even if the signature is robustly verified, whether it can truly be trusted relies heavily on the server’s secret key remaining a secret. If this key is leaked in some way, or can be guessed or brute-forced, an attacker can generate a valid signature for any arbitrary token, compromising the entire mechanism.
Exploiting flawed JWT signature verification
- By design, servers don’t usually store any information about the JWTs that they issue.
- Instead, each token is an entirely self-contained entity. This has several advantages, but also introduces a fundamental problem — the server doesn’t actually know anything about the original contents of the token, or even what the original signature was.
- Therefore, if the server doesn’t verify the signature properly, there’s nothing to stop an attacker from making arbitrary changes to the rest of the token.
For example, consider a JWT containing the following claims:
If the server identifies the session based on this
username, modifying its value might enable an attacker to impersonate other logged-in users. Similarly, if the
isAdmin value is used for access control, this could provide a simple vector for privilege escalation.
In the first couple of labs, you’ll see some examples of how these vulnerabilities might look in real-world applications.
Accepting arbitrary signatures
JWT libraries typically provide one method for verifying tokens and another that just decodes them. For example, the Node.js library
Occasionally, developers confuse these two methods and only pass incoming tokens to the
decode() method. This effectively means that the application doesn't verify the signature at all.