AppSec All-in-One – All About JWT and its Attacks

Heads-up: This blog is completely theoretical which helps for easy access and go through the concepts (acts as a revise book for you). A practical walkthrough of all these JWT attacks will be demonstrated in DeDefence YouTube channel. Stay tuned and make sure to subscribe.

• To prepare for AppSec interviews (Because it is most common topic which is often asked in every interview)
• Security Professionals
• Bug Bounty Hunters
• Developers
• QA

• Stripping the signature by manipulating the header algorithm to none
• Cracking weak
• Guessable secret keys used for signing
• Tricking servers into using the wrong algorithm (an “algorithm confusion” attack) to validate a forged token

Further risks arise from:

• Injecting malicious parameters into the token header to control the key verification process, potentially leading to path traversal, SQL injection, and the use of attacker-controlled keys.

The Anatomy of a JSON Web Token (JWT)

The Three Parts of a JWT

• alg: Specifies the cryptographic algorithm used to sign the token, such as HS256 (HMAC with SHA-256) or RS256 (RSA with SHA-256). This field is the source of several critical vulnerabilities.
• typ: Declares the token type, which is almost always JWT.

• Registered Claims: Predefined claims like iss (issuer), sub (subject), aud (audience), exp (expiration time), and iat (issued at).
• Public Claims: Custom claims defined to avoid collisions, usually registered in the IANA JSON Web Token Claims registry.
• Private Claims: Custom claims created for information sharing between parties.

Titbits: The header and payload are only Base64Url encoded, not encrypted. And also keep in mind that the header and payload are Base64Url encoded/decoded not Base64 encoded/decoded. This means anyone who intercepts the token can easily decode and read its contents. Therefore, sensitive information like passwords, credit card numbers, or social security numbers should never be stored in a JWT payload.

• JWS (JSON Web Signature): The token is signed to ensure data integrity, but the payload is readable. It proves that the data has not been tampered with.
• JWE (JSON Web Encryption): The token’s payload is encrypted, providing confidentiality. The content is hidden from parties who do not possess the decryption key.

The Attacker’s Playbook: Common JWT Vulnerabilities and Exploits

• Vulnerability: The server trusts the alg parameter in the header—which is controlled by the attacker—to determine how to validate the token. By setting alg to none, the attacker tells the server that no signature is present and the token should be considered valid as-is.

• Relatable Example: Imagine your office security pass has a field labeled “Verification Method: Biometric Scan.” An attacker scratches that out and writes, “Verification Method: Just Trust Me, Bro.” If the security guard sees this, shrugs, and lets them in without a scan, that’s the none algorithm attack.

• Exploitation Steps:

1. 1. Capture a legitimate JWT.
   2. Decode the header and change the alg value to none. Attackers often try multiple case variations (None, NONE, nOnE) to bypass naive string filters.
   3. Decode the payload and modify claims, for example, changing "isAdmin": false to "isAdmin": true.
   4. Re-encode the modified header and payload.
   5. Construct the new token by concatenating the parts and adding a trailing dot for the empty signature: [new_header].[new_payload]..
   6. Submit this forged token to the server. If vulnerable, the server will grant elevated privileges.

Attack 05: Cracking Weak HMAC Secrets (HS256)

• Vulnerability: An attacker with a single valid JWT has both the data that was signed and the resulting signature. This is enough to launch a dictionary or brute-force attack to find the secret key.

• Relatable Example: This is like setting your bank account PIN to “1234” or your computer password to “password”. An attacker doesn’t need to be a cryptographic genius; they just need a list of common passwords and a tool that can try them all very quickly.

• Exploitation Steps:

1. 1. Obtain a valid JWT signed with an HMAC-based algorithm (e.g., HS256).
   2. Use a cracking tool like hashcat (mode 16500) or John the Ripper with a wordlist of common secrets (like rockyou.txt or JWT-specific lists).
   3. The tool repeatedly signs the token’s header and payload with each secret from the wordlist and compares the result to the original signature.
   4. If a match is found, the secret is cracked. The attacker can now forge any token and sign it with the recovered secret.

• Vulnerability: An asymmetric RS256 token is signed with a private key and verified with a public key. A symmetric HS256 token is signed and verified with the same secret key. If an attacker can change the alg header from RS256 to HS256, a poorly implemented server might fetch the public key (which is not secret) and use it as the HS256 secret for verification.

• Relatable Example: Imagine a high-security vault door requires a unique, secret physical key to lock (the private key), but its design can be verified with a publicly available blueprint (the public key). An attacker walks up, slaps a new label on the door that says “Standard Padlock,” and then uses the public blueprint to fashion a flimsy key. If the confused security system uses the blueprint to check the “padlock,” it will accept the forged key and open the door.

• Exploitation Steps:

1. 1. Obtain the server’s public RSA key. This can often be found at a .well-known/jwks.json endpoint, in mobile app assets, or extracted from a TLS certificate.
   2. Take a valid JWT and decode its header and payload.
   3. Change the alg parameter in the header from RS256 to HS256.
   4. Modify the payload to escalate privileges (e.g., sub: "administrator").
   5. Sign the newly crafted token using the HS256 algorithm, providing the server’s public RSA key as the secret.
   6. Submit the forged token. The server, expecting HS256, will use its own public key to successfully verify the signature.

1. kid (Key ID) Injection:The kid parameter tells the server which key to use for verification, which is useful when multiple keys are in rotation. Attackers can abuse this if the server uses the kid value in an unsafe way.

• • Path Traversal: If the kid specifies a file path to the key (e.g., /var/www/keys/key123.pem), an attacker can inject path traversal sequences. 
    • Example Payload:"kid": "../../../../../dev/null"
    • Exploit: By pointing to /dev/null, the server attempts to use an empty file as the verification key. The attacker can then sign their forged token with an empty string as the secret, resulting in a valid signature.
  • SQL Injection: If the kid is used to query a database for the key, it can be vulnerable to SQL injection.
    • Example Payload:"kid": "' UNION SELECT 'attacker_controlled_key'--"
    • Exploit: The attacker tricks the database into returning a key they know, which they then use to sign their forged token.
  • Command Injection: If the kid value is passed into a system command, an attacker can inject malicious commands.
    • Example Payload:"kid": "key.pem; whoami"

      2. jku (JWK Set URL) and x5u (X.509 URL) Injection: These parameters point to a URL where the server can fetch the key or certificate needed for verification.

• Vulnerability: If the server does not whitelist trusted domains, an attacker can host their own JSON Web Key (JWK) set or certificate at a URL they control and point the jku or x5u header to it.

• Relatable Example: This is like asking a bouncer to check a guest list, but the guest provides a URL to a list they wrote themselves. If the bouncer doesn’t check who owns the website, they’ll accept the fake list.

• Exploit: The attacker generates their own public/private key pair, hosts the public key at their URL, modifies a JWT payload, and signs it with their private key. The server will fetch the attacker’s public key from the malicious URL and use it to successfully validate the forged token. This can also lead to Server-Side Request Forgery (SSRF) vulnerabilities.

• Vulnerability: A vulnerable server will trust and use the embedded public key for verification without checking if it’s a known or trusted key.

• Exploit: An attacker generates their own key pair, embeds their public key in the jwk header, modifies the payload for privilege escalation, and signs the token with their corresponding private key. The server will validate the signature using the key provided by the attacker themselves.

Flawed Implementations: The Hidden Dangers

1. Storing Sensitive Data in the Payload:As established, JWT payloads are merely encoded, not encrypted. Storing any sensitive data—personally identifiable information (PII), internal database IDs, detailed permission structures—creates an information disclosure vulnerability. This data can be read by anyone who obtains the token.

• Local Storage: Storing JWTs in localStorage is common but dangerous. It is accessible via JavaScript, making tokens vulnerable to theft through Cross-Site Scripting (XSS) attacks. A simple XSS payload can read the token from local storage and send it to an attacker’s server, leading to account takeover.

• Cookies: Storing JWTs in HttpOnly cookies is significantly more secure, as it prevents JavaScript from accessing the token, mitigating XSS-based theft. Additional flags like Secure (ensures the cookie is only sent over HTTPS) and SameSite (mitigates CSRF) should also be used.

• No Expiration (exp claim): A token without an exp claim is valid forever. If stolen, it provides permanent access until the signing key is changed.

• No Revocation Mechanism: JWTs are stateless, meaning the server doesn’t track issued tokens. This makes revocation difficult. If a user logs out or changes their password, their old tokens remain valid until they expire. A robust system requires a server-side revocation list (a blacklist), which reintroduces a stateful component but is often necessary for security.

• • Browser history.
  • Web server logs.
  • Proxy server logs.
  • The Referer header when clicking links to external sites.
  • This significantly increases the risk of accidental leakage and theft. JWTs should be transmitted in the Authorization header (e.g., Authorization: Bearer <token>) or in secure cookies.

Tools of the Trade: The Pentester’s JWT Toolkit:

JWT Security Best Practices and Mitigation:

1. Use Strong Algorithms: Prioritize asymmetric algorithms like RS256 or ES256 over symmetric ones. Asymmetric keys prevent attackers from forging tokens even if they obtain the public key.

     2. Use Strong Secrets/Keys:

• • For HMAC (HS256), the secret key must be long, random, and have high entropy (at least 32 bytes). Never use common words, defaults, or hardcoded values.
  • For RSA, use keys of at least 2048 bits.

     3. Rotate Keys Periodically: Implement a key rotation policy to limit the window of exposure if a key is compromised.

     4. Always Verify the Signature: This is the most critical step. Every token must be verified before its payload is trusted or used.

• • exp: Ensure the token has not expired.
  • nbf (Not Before): Ensure the token is not being used prematurely.
  • iss: Verify that the token was issued by the expected authority.
  • aud: Verify that the token is intended for your application.

• • The best practice is to store JWTs in HttpOnly, Secure, and SameSite cookies to protect against XSS and CSRF.
  • Avoid localStorage or sessionStorage due to XSS risks.

• • Always use HTTPS.
  • Pass the token in the Authorization header, not in URL parameters.