JWT Null Signature
Ce contenu n’est pas encore disponible dans votre langue.
| Severity | High |
|---|---|
| CVEs | CVE-2020-28042 |
| Classifications | CWE-327: Use of a Broken or Risky Cryptographic Algorithm |
| OWASP Category | OWASP API2:2023 Broken Authentication |
The “JWT Null Signature” vulnerability occurs when a JSON Web Token (JWT) lacks a signature part, allowing attackers to manipulate the token’s content potentially leading to unauthorized access and data tampering.
This vulnerability is similar to the “JWT Blank Secret” vulnerability, but in this case, the token lacks a signature part entirely, making it easier for attackers to manipulate the token’s content.
Example
Section titled “Example”Here is a valid JWT signed with RS512 algorithm:
eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiaWF0IjoxNTE2MjM5MDIyfQ.MnECRBSUQEi8GjiAyWHPhPhhpzCiMLldkq-N_VS-iwI08c4xEVUhT1Xrx9kNGuwusiQuLI3AOBTPwtbdaasQDCOpF0nxxQNKkufJYFds61ooFZfXCuRyXe1yGnXPRzTfgr5YVe9-T8_JDccx5JP70d9hoO4DU4GNYQMvrOQl4xu8DEyyDT2hsjyTbrodVhrV9znMfEBCsYPPLI-Q-HYLquGThPdJe2kBNA-CiLRV6Mwzji67cTd_4P_oUHKXsAxMqVpo-xC2xiVpO2P9X1__uXrRrfiNFUur4B71UMgGYJ2z_cQqwFfSXz9glBIf_-BJU10Rkmyo2ew862d7WsHx8gThis decoded JWT contains these parts:
{ "alg": "RS512", "typ": "JWT"}{ "sub": "1234567890", "iat": 1516239022}The following JWT has its signature stripped (null signature attack):
eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3MjkxNTU4MDksImlhdCI6MTcyOTE1MjIwOSwibmFtZSI6IkpvaG4gRG9lIiwic3ViIjoiMmNiMzA3YmEtYmI0Ni00MTk0LTg1NGYtNDc3NDA0NmQ5YzliIn0.How to test?
Section titled “How to test?”If you want to test if your server is vulnerable to the “JWT Null Signature” vulnerability, you can use the crack command:
jwtop crack [token] --url [url]To generate a token with a null signature, use the exploit nullsig command:
jwtop exploit nullsig [token]What is the impact?
Section titled “What is the impact?”Signing a JWT with a null signature has a significant impact on the security of the token. A null signature means that there is no signature part used to sign the token, making it vulnerable to tampering and unauthorized access.
By manipulating the token’s content, attackers can gain unauthorized access to sensitive data, impersonate users, and perform other malicious activities.
How to remediate?
Section titled “How to remediate?”To remediate the “JWT Null Signature” vulnerability, you should ensure that all JWTs are verified with a valid signature before processing them.
Here are some best practices to follow:
- Always use a strong cryptographic algorithm like HS512, RS512, or EdDSA to sign JWTs.
- Ensure that the secret key used to sign JWTs is kept secure and not exposed to unauthorized users.
- Implement proper input validation and sanitization to prevent attackers from injecting malicious content into JWTs.
- Regularly monitor and audit JWTs to detect any unauthorized access or tampering attempts.