Skip to content

JWT Weak Secret

SeverityHigh
CVEs
Classifications
OWASP Category

OWASP API2:2023 Broken Authentication

A vulnerability occurs when a JSON Web Token (JWT) is signed with a common, a well-known, or a weak secret. In this scenario, the token lacks proper cryptographic protection, making it susceptible to manipulation. Attackers can find the secret then modify the token’s claims and content without detection, potentially leading to unauthorized access and data tampering.

For more details, you can refer to the jwtop documentation on Weak Secret.

  • Common Secret: The secret key used to sign the JWT is a common value, such as secret, password, or 123456. Attackers can easily guess (brute-force) the secret key.
  • Well-Known Secret: The secret key used to sign the JWT is a well-known value or a default value This can happen when you use a default secret key provided by a product, library or framework.. Attackers can find the secret key in public repositories, forums, or documentation.
  • Weak Secret: The secret key used to sign the JWT is a weak value, such as a short guessable string such as security2024. Attackers can use dictionary attacks, rainbow tables, or other brute-force techniques to find the secret key.

Here is a valid JWT signed with HS256 algorithm and a robust secret key:

Terminal window
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1MTYyNDI2MjIsImlhdCI6MTUxNjIzOTAyMiwibmFtZSI6IkpvaG4gRG9lIiwic3ViIjoiMmNiMzA3YmEtYmI0Ni00MTk0LTg1NGYtNDc3NDA0NmQ5YzliIn0.ZuwZrXpLRj17vDjOLoOOJ7pr1CN5DnE8Clgn4y-fjNs

This decoded JWT contains, this parts:

{
"alg": "HS256",
"typ": "JWT"
}
{
"iat": 1516239022,
"exp": 1516242622,
"name": "John Doe",
"sub": "2cb307ba-bb46-4194-854f-4774046d9c9b"
}

The following JWT is signed with secret secret:

Terminal window
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1MTYyNDI2MjIsImlhdCI6MTUxNjIzOTAyMiwibmFtZSI6IkpvaG4gRG9lIiwic3ViIjoiMmNiMzA3YmEtYmI0Ni00MTk0LTg1NGYtNDc3NDA0NmQ5YzliIn0.gTgBr6lotpAxs4M46PgUXrjhIN5-gYG4HffKSEIB6Ys

If you want to test only the “JWT Weak Secret” vulnerability, you can use the following command:

Terminal window
vulnapi scan curl [url] -H "Authorization: Bearer eyJhbGciOiJSUzUxMiI..." --scans jwt.weak_secret

VulnAPI supports scanning against various types of other JWT vulnerabilities as well.

The impact of using a weak secret key to sign a JWT is significant. Attackers can easily find the secret key and modify the token’s claims and content without detection. This can lead to unauthorized access, data tampering, and other security risks.

Ensure to change the secret key to a strong and unique value. Use a secure random generator to create the secret key and store it securely. Rotate the secret key periodically to mitigate the risk of unauthorized access and data tampering.