JWT attack - ties2/web-pentest GitHub Wiki

JSON Web Token (JWT) is an open standard that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. However, JWTs are vulnerable to various types of attacks that can compromise their security.

Here are some common types of JWT attacks:

Signature Spoofing Attack:

In this type of attack, an attacker attempts to change the contents of a JWT by modifying the signature. They do this by capturing a legitimate JWT and modifying the payload and the signature. Once the attacker has made the changes, they can use the modified JWT to gain access to protected resources. For example, a hacker might intercept a JWT, modify the user ID, and re-sign it with their own key to access the user's account.

Brute Force Attack:

This attack involves an attacker guessing a JWT's secret key through trial and error. The attacker can then use the secret key to generate their own JWTs and gain access to protected resources. A brute force attack can be successful if the secret key is too simple or predictable.

Token Leakage Attack:

This attack involves an attacker gaining access to a JWT's contents by intercepting it in transit or stealing it from the client's browser. Once the attacker has the JWT, they can extract sensitive information from it, such as user credentials or session IDs.

Signature Stripping Attack:

In this type of attack, an attacker tries to remove the signature from a JWT to gain access to protected resources without having a valid token. They do this by modifying the JWT and removing the signature, then sending the modified JWT to the server. The server, which expects a signature, will accept the modified JWT and grant access to the attacker.

Token Substitution Attack:

In this type of attack, an attacker intercepts a JWT and replaces the token with a token of their own. The attacker can then use the token to gain access to protected resources. For example, a hacker might intercept a JWT intended for a user with limited privileges and replace it with a token that grants them administrator access.

To prevent JWT attacks, it's important to use strong, unpredictable secret keys, verify the signature on incoming JWTs, and limit the amount of information included in a JWT's payload. Additionally, JWTs should be transmitted over secure channels and stored securely on the client side.

cheat sheet summarizing common JWT attacks and their characteristics:

Attack type: Signature Spoofing Attack

Description: Modifying the signature of a JWT to change its contents. Characteristics:

  • Attackers intercept a legitimate JWT and modify its payload and signature.
  • Attackers can gain access to protected resources using the modified JWT.

Attack type: Brute Force Attack

Description: Guessing the secret key of a JWT through trial and error. Characteristics:

  • Attackers repeatedly guess different secret keys until they find the correct one.
  • Attackers can generate their own JWTs with the correct secret key to gain access to protected resources.

Attack type: Token Leakage Attack

Description: Intercepting or stealing a JWT to extract sensitive information. Characteristics:

  • Attackers can intercept JWTs in transit or steal them from the client's browser.
  • Attackers can extract sensitive information from the JWT, such as user credentials or session IDs.

Attack type: Signature Stripping Attack

Description: Removing the signature from a JWT to gain access to protected resources without a valid token. Characteristics:

  • Attackers modify the JWT to remove its signature.
  • Servers that expect a signature may still accept the modified JWT, granting access to attackers.

Attack type: Token Substitution Attack

Description: Replacing a legitimate JWT with an attacker-generated token. Characteristics:

  • Attackers intercept a legitimate JWT and replace it with their own token.
  • Attackers can gain access to protected resources using their own token.

To prevent these attacks, it's important to use strong secret keys, verify the signature on incoming JWTs, limit the amount of information in a JWT's payload, and transmit JWTs over secure channels.