JWT Vulnerabilities
Ce contenu n’est pas encore disponible dans votre langue.
JSON Web Tokens (JWTs) are a popular standard for representing claims between two parties. However, improper implementation of JWT verification can lead to several critical security vulnerabilities.
JWTop provides built-in tools to test for these vulnerabilities automatically or manually.
Common Vulnerabilities
Section titled “Common Vulnerabilities” None Algorithm Accepting tokens with no signature.
Blank Secret Tokens signed with an empty HMAC secret.
HMAC Confusion Using a public key as an HMAC secret.
KID Injection Injecting payloads via the Key ID header.
Null Signature Stripping the signature from the token.
Psychic Signature ECDSA verifiers accepting an all-zero (r=0, s=0) signature.
Weak Secret Brute-forcing common HMAC secrets.
Signature Not Verified Bypassing signature verification entirely.
Cross Service Relay Attack Relaying tokens from other projects.
How to Test
Section titled “How to Test”The fastest way to test a live server for all these vulnerabilities at once is to use the crack command:
jwtop crack $TOKEN --url https://api.example.com/protectedFor more details on each vulnerability, click on the cards above.