Scribd
Upload
14 views2 pages

JWT Attacks

These tokens are used to send user authentication and session information. The JWT token format contains a header, payload, and signature. The header and payload are base64 encoded JSON objects, with the header containing token metadata and the payload containing user claims. Exploiting flaws where servers do not properly verify signatures or accept arbitrary signatures can allow attackers to modify tokens.

Uploaded by

hamza.adnan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
14 views2 pages

JWT Attacks

These tokens are used to send user authentication and session information. The JWT token format contains a header, payload, and signature. The header and payload are base64 encoded JSON objects, with the header containing token metadata and the payload containing user claims. Exploiting flaws where servers do not properly verify signatures or accept arbitrary signatures can allow attackers to modify tokens.

Uploaded by

hamza.adnan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

These tokens are used to send information about users as part of authentication, session handling

and access control

The JWT token format contains three parts, each separated by a dot. there is the header, the payload
and the signature

The header and payload part of the json is just base 64 encoded of the json objects
The header contains the meta data about the token itself
the payload contains the actual claims about the users

exploiting Flawed JWT signature verification


the server doesnot store information about jwt that are issues insted all the tokens are an entirely self-
contained entity.
this leads to the server not knowing if the jwt coming is manipulated and if the signature has been
modified aswell.
if the server does not verify the signature then this allows the attacker to make changes to it.

Accepting arbitrary signatures

the JWT libraries provide one method for the verification of tokens and uses another one just to
decode them.
If the incoming token is passed to the decode () method, this means that the signature is not being
verified.

In the first lab the jwt token was not being verified by the server thus changing the token got us access
to the admin panel.

Accepting tokens with no signature

in the jwt header there is a alg parameter, this is used to tell the sever which alg was used to sign the
token. the server uses this to verify the signature.

JWT header parameter injections:

in the jwt token only the alg parameter is necessary. this means that the attacker can inject headers.

the headers for interest are:


jwk -> this provides and embedded json object representing the key
jku -> this provides a URL from which the server can fetch a set of keys containing the correct keys
kid -> this provides the ID to the server so it can use it to identify the correct one in case there are
multiple keys.

injecting jwk parameter


create a personal key and inject it in the payload.

injecting self-signed JWT via kid parameter

Servers use crypto keys for the signing of different kids of data. For this reason the JWT token have
the key id parameter (kid). This helps the server identify which keys to use when it has to verify the
signature.

they keys are often stored as jwk sets, this makes the server look for the same kid as the JWK . Since
there is no hard and fast rule to define the specifications and it is just an arbitrary string and the kid
parameter can be used to point to a specific entry in the data base or a file.

JWT algo confusion attack

You might also like