Skip to content

JWT Null Signature

SeverityHigh
CVEsCVE-2020-28042
ClassificationsCWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP CategoryOWASP API2:2023 Broken Authentication

The “JWT Null Signature” vulnerability occurs when a JSON Web Token (JWT) lacks a signature part, allowing attackers to manipulate the token’s content potentially leading to unauthorized access and data tampering.

For more details, you can refer to the jwtop documentation on Null Signature.

This vulnerability is similar to the “JWT Blank Secret” vulnerability, but in this case, the token lacks a signature part, making it easier for attackers to manipulate the token’s content.

Here is a valid JWT signed with RS512 algorithm:

Terminal window
eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiaWF0IjoxNTE2MjM5MDIyfQ.MnECRBSUQEi8GjiAyWHPhPhhpzCiMLldkq-N_VS-iwI08c4xEVUhT1Xrx9kNGuwusiQuLI3AOBTPwtbdaasQDCOpF0nxxQNKkufJYFds61ooFZfXCuRyXe1yGnXPRzTfgr5YVe9-T8_JDccx5JP70d9hoO4DU4GNYQMvrOQl4xu8DEyyDT2hsjyTbrodVhrV9znMfEBCsYPPLI-Q-HYLquGThPdJe2kBNA-CiLRV6Mwzji67cTd_4P_oUHKXsAxMqVpo-xC2xiVpO2P9X1__uXrRrfiNFUur4B71UMgGYJ2z_cQqwFfSXz9glBIf_-BJU10Rkmyo2ew862d7WsHx8g

This decoded JWT contains, this parts:

{
"alg": "RS512",
"typ": "JWT"
}
{
"sub": "1234567890",
"iat": 1516239022
}

The following JWT has its signature stripped (null signature attack):

Terminal window
eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3MjkxNTU4MDksImlhdCI6MTcyOTE1MjIwOSwibmFtZSI6IkpvaG4gRG9lIiwic3ViIjoiMmNiMzA3YmEtYmI0Ni00MTk0LTg1NGYtNDc3NDA0NmQ5YzliIn0.

If you want to test only the “JWT Null Signature” vulnerability, you can use the following command:

Terminal window
vulnapi scan curl [url] -H "Authorization: Bearer eyJhbGciOiJSUzUxMiI..." --scans jwt.null_signature

VulnAPI supports scanning against various types of other vulnerabilities as well.

Signing a JWT with a null signature has a significant impact on the security of the token. A null signature means that there is no signature part used to sign the token, making it vulnerable to tampering and unauthorized access.

By manipulating the token’s content, attackers can gain unauthorized access to sensitive data, impersonate users, and perform other malicious activities.

To remediate the “JWT Null Signature” vulnerability, you should ensure that all JWTs are verified with a valid signature before processing them.

Here are some best practices to follow:

  • Always use a strong cryptographic algorithm like HS512, RS512, or EdDSA to sign JWTs.
  • Ensure that the secret key used to sign JWTs is kept secure and not exposed to unauthorized users.
  • Implement proper input validation and sanitization to prevent attackers from injecting malicious content into JWTs.
  • Regularly monitor and audit JWTs to detect any unauthorized access or tampering attempts.