Aller au contenu

JWT Null Signature

Ce contenu n’est pas encore disponible dans votre langue.

SeverityHigh
CVEsCVE-2020-28042
ClassificationsCWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP CategoryOWASP API2:2023 Broken Authentication

The “JWT Null Signature” vulnerability occurs when a JSON Web Token (JWT) lacks a signature part, allowing attackers to manipulate the token’s content potentially leading to unauthorized access and data tampering.

This vulnerability is similar to the “JWT Blank Secret” vulnerability, but in this case, the token lacks a signature part entirely, making it easier for attackers to manipulate the token’s content.

Here is a valid JWT signed with RS512 algorithm:

Terminal window
eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiaWF0IjoxNTE2MjM5MDIyfQ.MnECRBSUQEi8GjiAyWHPhPhhpzCiMLldkq-N_VS-iwI08c4xEVUhT1Xrx9kNGuwusiQuLI3AOBTPwtbdaasQDCOpF0nxxQNKkufJYFds61ooFZfXCuRyXe1yGnXPRzTfgr5YVe9-T8_JDccx5JP70d9hoO4DU4GNYQMvrOQl4xu8DEyyDT2hsjyTbrodVhrV9znMfEBCsYPPLI-Q-HYLquGThPdJe2kBNA-CiLRV6Mwzji67cTd_4P_oUHKXsAxMqVpo-xC2xiVpO2P9X1__uXrRrfiNFUur4B71UMgGYJ2z_cQqwFfSXz9glBIf_-BJU10Rkmyo2ew862d7WsHx8g

This decoded JWT contains these parts:

{
"alg": "RS512",
"typ": "JWT"
}
{
"sub": "1234567890",
"iat": 1516239022
}

The following JWT has its signature stripped (null signature attack):

Terminal window
eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3MjkxNTU4MDksImlhdCI6MTcyOTE1MjIwOSwibmFtZSI6IkpvaG4gRG9lIiwic3ViIjoiMmNiMzA3YmEtYmI0Ni00MTk0LTg1NGYtNDc3NDA0NmQ5YzliIn0.

If you want to test if your server is vulnerable to the “JWT Null Signature” vulnerability, you can use the crack command:

Terminal window
jwtop crack [token] --url [url]

To generate a token with a null signature, use the exploit nullsig command:

Terminal window
jwtop exploit nullsig [token]

Signing a JWT with a null signature has a significant impact on the security of the token. A null signature means that there is no signature part used to sign the token, making it vulnerable to tampering and unauthorized access.

By manipulating the token’s content, attackers can gain unauthorized access to sensitive data, impersonate users, and perform other malicious activities.

To remediate the “JWT Null Signature” vulnerability, you should ensure that all JWTs are verified with a valid signature before processing them.

Here are some best practices to follow:

  • Always use a strong cryptographic algorithm like HS512, RS512, or EdDSA to sign JWTs.
  • Ensure that the secret key used to sign JWTs is kept secure and not exposed to unauthorized users.
  • Implement proper input validation and sanitization to prevent attackers from injecting malicious content into JWTs.
  • Regularly monitor and audit JWTs to detect any unauthorized access or tampering attempts.