Introduction
JSON Web Tokens (JWTs) are widely adopted for secure, stateless authentication across web applications, APIs, and microservices. While JWTs bring many benefits, such as efficient session management and scalable authentication, they are also prone to a range of vulnerabilities when misconfigured or improperly implemented.
In this post, we’ll go beyond the basics of JWT exploitation, exploring advanced techniques for bypassing authentication, gaining unauthorized access, and achieving privilege escalation.
1. JWT Basics: The Foundation for Advanced Exploits
A JWT typically consists of three base64-encoded parts:
-
Header: Specifies the token’s algorithm (
alg
) and token type. - Payload: Contains the token’s claims, including user details and access levels.
- Signature: Verifies that the token hasn’t been altered. It’s generated by encoding the header and payload with a secret key.
Here’s a quick JWT structure:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4iLCJyb2xlIjoiYWRtaW4ifQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
The security of JWTs relies on robust key management and proper validation of each token component. However, slight misconfigurations or weak practices can open up serious attack vectors.
2. Common JWT Exploits and Advanced Techniques
1. The “None” Algorithm Attack
-
Explanation: In some cases, developers mistakenly allow
none
as a signing algorithm, which skips signature verification entirely. This leaves the JWT effectively unsigned. -
Exploit: If the server accepts
none
as a valid algorithm, an attacker can alter the JWT payload and set thealg
header tonone
. This allows attackers to bypass authentication and escalate privileges by modifying claims, such as setting therole
toadmin
. -
Example Payload:
{ "alg": "none", "typ": "JWT" }
-
Steps:
- Decode the JWT and alter the payload, e.g., changing
"role": "user"
to"role": "admin"
. - Remove the signature part of the token and set the
alg
tonone
. - Send the manipulated JWT to the server and verify if you gain elevated privileges.
- Decode the JWT and alter the payload, e.g., changing
2. Weak Key Vulnerabilities in HMAC (HS256)
-
Explanation: If a weak secret is used with symmetric algorithms like
HS256
, it’s possible to brute-force the signature or predict the key. -
Exploit: With tools like
JWT Cracker
, try common or weak secrets such asadmin
,password
, or the application name. -
Steps:
- Capture a valid JWT.
- Use a brute-force tool or wordlist to crack the secret key.
- Once the secret is known, you can create valid tokens with any claims.
Common tools for brute-forcing:
- jwt_tool.py
- hashcat
(supports JWT cracking with hash mode 16500 for HS256)
3. Key Confusion Attacks
-
Explanation: Key confusion happens when an application uses symmetric (
HS256
) and asymmetric (RS256
) algorithms interchangeably without verification. This allows attackers to substitute anRS256
JWT with anHS256
token, signing it with the server’s public key. - Exploit: If the server doesn’t differentiate between RS256 and HS256, you can use the public key (available to anyone) as a secret for an HS256 token.
-
Steps:
- Get the server’s public key (often available in the application’s open configuration or public JWKS).
- Encode your JWT header to use
HS256
and set the payload toadmin
. - Sign the JWT using the public key as the secret.
- Send the crafted JWT and check if it bypasses authentication.
4. Claim Tampering and Lack of Validation
- Explanation: Claims within a JWT are user data fields, but if they’re not validated by the server, attackers can modify them to escalate privileges.
-
Common Claims to Manipulate:
-
iat
(Issued At): Modifying it can bypass time-based restrictions. -
exp
(Expiration): Changing expiration can extend session validity indefinitely. -
sub
(Subject): Changingsub
to impersonate another user.
-
-
Steps:
- Decode the JWT and modify claims directly, such as
exp
for expiry orsub
for user identity. - Re-sign the JWT if you know the secret, or if it’s vulnerable to weak key exploits.
- Test whether the server accepts the modified token.
- Decode the JWT and modify claims directly, such as
5. SQL Injection via JWT Claims
-
Explanation: If claims are directly used in database queries without sanitization, SQL injection attacks may be possible. This usually occurs when claims like
sub
orusername
are concatenated into database queries. -
Steps:
- Modify a claim (e.g.,
sub
) to include SQL injection payloads like'; DROP TABLE users;--
. - Check if the application’s response or database behavior reflects SQL injection.
- Modify a claim (e.g.,
6. Cross-JWT Token Forgery (XJWT)
- Explanation: Cross-JWT token forgery involves reusing JWTs across services that accept tokens from different origins without verification.
-
Exploit: If two services don’t validate the
aud
(audience) claim consistently, attackers can reuse tokens issued for one service to authenticate on another, bypassing intended access controls. -
Steps:
- Obtain a JWT from a service with a lower access level.
- Attempt to reuse the JWT on a more privileged service that lacks proper
aud
validation.
7. JWT Signature Bypasses with JKU Header Injection
-
Explanation: The
jku
(JSON Web Key Set URL) header allows the token to specify a URL to fetch a public key. If this URL isn’t properly validated, attackers can supply their own key server, generating valid tokens signed by their own keys. -
Exploit: Manipulate the
jku
header to point to an attacker-controlled server. -
Steps:
- Set up a server that provides a fake JSON Web Key Set (JWKS).
- Modify the JWT to include a
jku
header pointing to the malicious JWKS URL. - Sign the token with the attacker’s private key and send the JWT to the server.
3. Real-World Example Attack Scenarios
Example 1: Privilege Escalation via Weak JWT Key on HS256
- Capture a JWT with HS256 signing from the application.
- Use a brute-force tool to guess the secret (often found with a weak wordlist).
- Decode the payload and set
"role": "admin"
. - Re-sign the token and send it to the server, checking if you gain administrative access.
Example 2: Exploiting None Algorithm to Bypass Authentication
- Observe that the application supports
alg=none
. - Modify the token’s header to set
alg
tonone
. - Update the payload to escalate privileges, e.g.,
"role": "superuser"
. - Send the tampered token to gain elevated privileges.
Example 3: Gaining Unauthorized Access via Cross-JWT Token Forgery
- Capture a JWT from Service A with lower access.
- Send the same token to Service B, bypassing
aud
claim verification. - Check if Service B grants access, thus bypassing the cross-service security barrier.
4. Defending Against Advanced JWT Exploits
1. Enforce Strong Key Management Practices
- Use unique, strong secrets for HS256 tokens, avoiding common or guessable keys.
- Rotate keys regularly and avoid hard-coding secrets in application code.
2. Restrict Algorithm Usage
- Only use algorithms necessary for your application and avoid using
none
. - Enforce RS256 over HS256 where possible to separate signing and verification keys.
3. Validate All JWT Claims Carefully
- Validate claims like
aud
,exp
, andsub
to prevent tampering or unauthorized reuse. - Set strict conditions for
iat
andexp
to avoid indefinite token validity.
4. Avoid Using jku
and kid
Without Validation
- Do not rely on external sources for public key retrieval, or validate these URLs if you must use them.
- Disable
jku
andkid
headers if not required.
5. Monitor for Anomalous Token Behavior
Track token usage patterns, such as excessive token reuse or invalid claim modifications.
Implement rate limiting and anomaly detection for authentication endpoints.
Conclusion
JWT misconfigurations and weaknesses are a high-impact attack vector that can expose applications to privilege escalation, unauthorized access, and data breaches. By understanding and leveraging advanced JWT exploitation techniques, bug bounty hunters and security experts can reveal hidden vulnerabilities in applications, emphasizing the need for strong security measures around token handling.
Top comments (0)