Aller au contenu

JWT KID Header Injection

Ce contenu n’est pas encore disponible dans votre langue.

SeverityHigh
ClassificationsCWE-345: Insufficient Verification of Data Authenticity
OWASP CategoryOWASP API2:2023 Broken Authentication

The kid (Key ID) JWT header field is intended to tell the server which key to use for signature verification. When this value is passed unsanitized to a database query or a file system lookup, attackers can inject a payload that causes the server to use an attacker-controlled key, effectively allowing them to forge arbitrary tokens.

JWTop tests two variants of this attack:

  • SQL Injection — injects a SQL payload into kid (e.g. ' UNION SELECT 'secret' ...) so that the database returns a known value as the key.
  • Path Traversal — sets kid to a filesystem path such as /dev/null so the server reads an empty file as the key, which can be matched with an empty HMAC secret.

Here is a valid JWT signed with HS256:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

The attacker crafts a token with a kid header that injects into the key-lookup query and re-signs it with the value the query is made to return (secret):

{
"alg": "HS256",
"typ": "JWT",
"kid": "' UNION SELECT 'secret' FROM tokens WHERE '1'='1"
}

The attacker sets kid to /dev/null and re-signs the token with an empty HMAC secret. If the server reads the signing key from the path named by kid, it receives zero bytes:

{
"alg": "HS256",
"typ": "JWT",
"kid": "/dev/null"
}

If you want to test if your server is vulnerable to the “JWT KID Injection” vulnerability, you can use the crack command:

Terminal window
jwtop crack [token] --url [url]

To generate a token with a kid injection payload, use the exploit kidinjection command:

Terminal window
jwtop exploit kidinjection [token] --mode sql

A successful KID injection attack allows an attacker to forge a JWT that the server accepts as legitimate. This can lead to full authentication bypass, privilege escalation, or impersonation of any user in the system.

  • Validate the kid value before using it — reject values containing SQL metacharacters, path separators, or characters outside a safe allowlist (e.g. alphanumeric and hyphens only).
  • Use parameterised queries when looking up keys by kid in a database to prevent SQL injection.
  • Never read key material from user-controlled file paths — store keys in a secure key store and use kid only as an opaque identifier mapped server-side to a known key.
  • Hard-code or allowlist permitted kid values where possible.