Comprehensive JWT Security Guide
Comprehensive JWT Security Guide A practitioner’s reference for JSON Web Token security – vulnerabilities, exploitation techniques, attack vectors, implementation flaws, and defense strategies. Covers algorithm confusion, signature bypass, header injection, key confusion, library-specific issues, cryptographic attacks, attack chaining, and secure implementation patterns. Compiled from 42 research sources. Table of Contents Fundamentals JWT Structure & Components Algorithm Confusion Attacks Signature Bypass Techniques Header Manipulation Payload Tampering Cryptographic & Protocol-Level Attacks Library-Specific Vulnerabilities Attack Chaining Implementation Security Attack Methodology Secure Development Practices 1. Fundamentals JWT Overview Component Purpose Security Relevance Header Algorithm and token type declaration Algorithm confusion vector Payload Claims and data Authorization decisions Signature Integrity and authenticity proof Bypass target Common Use Cases Application JWT Role Attack Impact Authentication Identity assertion Account takeover Authorization Permission claims Privilege escalation Information Exchange Secure data transmission Information disclosure API Access Bearer token Unauthorized access Microservices Stateless session Cross-service token reuse JWS vs JWE Format Purpose Security Consideration JWS (JSON Web Signature) Signed tokens – integrity and authenticity Most common; payload is readable (base64url), not encrypted JWE (JSON Web Encryption) Encrypted tokens – confidentiality Payload confidential; format confusion with JWS possible 2. JWT Structure & Components Token Anatomy JWT STRUCTURE: Header.Payload.Signature Example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c Header Parameters Parameter Description Security Implications alg Signature algorithm Algorithm confusion attacks typ Token type Type confusion, JWS/JWE format confusion kid Key identifier Path traversal, SQL injection, command injection jku JWK Set URL SSRF, URL manipulation, external key loading jwk Embedded JSON Web Key Key injection – attacker embeds own public key x5u X.509 URL Certificate injection, SSRF x5c X.509 Certificate Chain Certificate substitution Standard Claims Claim Purpose Attack Vectors iss (Issuer) Token origin Issuer spoofing, substitution attacks sub (Subject) Token subject User ID manipulation aud (Audience) Intended recipient Audience bypass, cross-service token reuse exp (Expiration) Token lifetime Expiry bypass, token persistence iat (Issued At) Issue timestamp Replay attacks nbf (Not Before) Activation time Timing bypass 3. Algorithm Confusion Attacks Attack Mechanism ALGORITHM CONFUSION FLOW: 1. Server expects RS256 (RSA + SHA256) 2. Attacker changes alg to HS256 (HMAC + SHA256) 3. Server's public RSA key used as HMAC secret 4. Attacker generates valid HMAC signature 5. Server verifies with same key -> bypass Vulnerable Algorithm Transitions Original Algorithm Confused Algorithm Attack Method RS256/RS384/RS512 HS256/HS384/HS512 Public key as HMAC secret ES256/ES384/ES512 HS256/HS384/HS512 Public key as HMAC secret PS256/PS384/PS512 HS256/HS384/HS512 Public key as HMAC secret Any Algorithm none No signature verification Exploitation Techniques Attack Vector Payload Example Impact RSA->HMAC {"alg":"HS256"} + HMAC(payload, rsa_public_key) Complete authentication bypass Algorithm None {"alg":"none"} + unsigned token Total signature bypass None Variants {"alg":"NoNe"}, {"alg":"NONE"}, {"alg":"nOnE"} Blacklist bypass on case-insensitive checks Weak Algorithm {"alg":"HS256"} with known/weak secret Signature forgery CVE-2024-54150: cjwt C Library A real-world algorithm confusion in the xmidt-org/cjwt C library. The cjwt_decode() function reads the algorithm from the JWT header without requiring the caller to specify an expected algorithm. The verification function jws_verify_signature() dispatches based on the header-controlled alg value, allowing an attacker to sign with HMAC using the server’s RSA public key. ...