Aller au contenu

JWT Blank Secret

Ce contenu n’est pas encore disponible dans votre langue.

SeverityHigh
CVEs
ClassificationsCWE-287: Improper Authentication
OWASP CategoryOWASP API2:2023 Broken Authentication

A vulnerability occurs when a JSON Web Token (JWT) is signed with an empty secret. In this scenario, the token lacks proper cryptographic protection, making it susceptible to manipulation. Attackers can modify the token’s claims and content without detection, potentially leading to unauthorized access and data tampering.

Here is a valid JWT signed with HS256 algorithm:

Terminal window
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1MTYyNDI2MjIsImlhdCI6MTUxNjIzOTAyMiwibmFtZSI6IkpvaG4gRG9lIiwic3ViIjoiMmNiMzA3YmEtYmI0Ni00MTk0LTg1NGYtNDc3NDA0NmQ5YzliIn0.SCC35SSgMSMr0kV1i_TuPAhiSGtsC1cFGCfvaus5GyU

This decoded JWT contains these parts:

{
"alg": "HS256",
"typ": "JWT"
}
{
"iat": 1516239022,
"exp": 1516242622,
"name": "John Doe",
"sub": "2cb307ba-bb46-4194-854f-4774046d9c9b"
}

The following JWT is signed with an empty secret (blank key — same header and payload, different signature):

Terminal window
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1MTYyNDI2MjIsImlhdCI6MTUxNjIzOTAyMiwibmFtZSI6IkpvaG4gRG9lIiwic3ViIjoiMmNiMzA3YmEtYmI0Ni00MTk0LTg1NGYtNDc3NDA0NmQ5YzliIn0.rpOjSoJBjzZifWAc-MBQ4UVS9tOY7gJV8cN0j6bN1oA

If you want to test if your server is vulnerable to the “JWT Blank Secret” vulnerability, you can use the crack command:

Terminal window
jwtop crack [token] --url [url]

To only generate a token with a blank secret, use the exploit blanksecret command:

Terminal window
jwtop exploit blanksecret [token]

Signing a JWT with a blank secret has a significant impact on the security of the token. A blank secret means that there is no secret key used to sign the token, making it vulnerable to tampering and unauthorized access.

By signing a JWT with a blank secret, anyone with access to the token can modify its contents without detection. This can lead to various security risks, such as impersonation, data tampering, and unauthorized access to protected resources.

To remediate the JWT blank secret vulnerability, ensure that all JWTs are signed with a secure secret key. Use strong cryptographic algorithms and keep the secret key confidential to prevent unauthorized access and tampering of the tokens.