Attacking JWT (JSON Web Tokens)?
First of all What are JWTs(JSON web tokens)?
JSON web tokens (JWTs) are standardized for sending cryptographically signed JSON data between systems. They can theoretically contain any kind of data but are most commonly used to send information (“claims”) about users as part of authentication, session handling, and access control mechanisms.
Unlike with classic session tokens, all of the data that a server need is stored “client-side” within the JWT itself. This makes — — “ JWTs a popular choice for highly distributed websites where users need to interact seamlessly with multiple back-end servers”.
How Does It look like ?🤔 How can I know ya this is it?🤷♂️
JWT format
A JWT consists of 3 parts: a header, a payload, and a signature.
The header and payload parts of a JWT are just base64url-encoded JSON objects. 🧑💻
The header contains metadata about the token itself, while the payload contains the actual “claims” about the user.
Which can be decoded.🎉
NOTE:- *Therefore, the security of any JWT-based mechanism is heavily reliant on the cryptographic signature.*
JWT signature
The server that issues the token typically generates the signature by hashing the header and payload. In some cases, they also encrypt the resulting hash.
Either way, this process involves a secret signing key.
This mechanism provides a way for servers to verify that none of the data within the token has been tampered with since it was issued:
- As the signature is directly derived from the rest of the token, changing a single byte of the header or payload results in a mismatched signature.
— — — — — — — — — — — — — — — & — — — —— — — — — — — — — — —
- Without knowing the server’s secret signing key, it shouldn’t be possible to generate the correct signature for a given header or payload.
So The Question Arises What Can We Do?
Being a hacker that’s a common question to arise so first let's know more about the target👇
➡️What are JWT attacks?
JWT attacks involve a user sending modified JWTs to the server to achieve a malicious goal.
👉Typically, this goal is to bypass authentication and access controls by impersonating another user who has already been authenticated.👈
➡️What is the impact?
If an attacker is able to create their valid tokens with arbitrary values, they may be able to escalate their privileges or impersonate other users, taking full control of their accounts.
➡️How can a hacker implement it?
JWTs are relatively flexible by design, allowing website developers to decide many implementation details for themselves.
So — — — —the signature of the JWT is not verified properly — — — —
which enables an attacker to tamper with the values passed to the application via the token’s payload. Even if the signature is robustly verified, whether it can truly be trusted relies heavily on the server’s secret key remaining a secret.
If this key is leaked in some way, or can be guessed or brute-forced, an attacker can generate a valid signature for any arbitrary token, compromising the entire mechanism.
➡️Preventive Measures?
- Use an up-to-date library for handling JWTs along with any security implications. Modern libraries make it more difficult for you to inadvertently implement them insecurely.
- Make sure that you perform robust signature verification on any JWTs that you receive, and account for edge cases(extreme cases)such as JWTs signed using unexpected algorithms.
- Enforce a strict whitelist of permitted hosts for the jku* header.
*jku(JWK Set URL): Header Parameter is a URI that refers to a resource for a set of JSON-encoded public keys, one of which corresponds to the key used to digitally sign the JWS (JSON Web Signature)).
- Make sure that you’re not vulnerable to path traversal or SQL injection via the kid** header parameter
**kid: Key Id mainly refers to a Secret that can be retrieved and used to validate the signed JWT. — Mostly it is just a random guide that is stored as a secret Id. It should be provided by the generator of the JWT so that a Validator can retrieve the correct secret based on the “kid” to validate the signed JWT token.
