JWT Weak Secret
Ce contenu n’est pas encore disponible dans votre langue.
| Severity | High |
|---|---|
| CVEs | |
| Classifications | |
| OWASP Category | OWASP API2:2023 Broken Authentication |
A vulnerability occurs when a JSON Web Token (JWT) is signed with a common, a well-known, or a weak secret. In this scenario, the token lacks proper cryptographic protection, making it susceptible to manipulation. Attackers can find the secret then modify the token’s claims and content without detection, potentially leading to unauthorized access and data tampering.
What are the different scenarios?
Section titled “What are the different scenarios?”- Common Secret: The secret key used to sign the JWT is a common value, such as
secret,password, or123456. Attackers can easily guess (brute-force) the secret key. - Well-Known Secret: The secret key used to sign the JWT is a well-known value or a default value. This can happen when you use a default secret key provided by a product, library or framework. Attackers can find the secret key in public repositories, forums, or documentation.
- Weak Secret: The secret key used to sign the JWT is a weak value, such as a short guessable string such as
security2024. Attackers can use dictionary attacks, rainbow tables, or other brute-force techniques to find the secret key.
Example
Section titled “Example”Here is a valid JWT signed with HS256 algorithm and a robust secret key:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1MTYyNDI2MjIsImlhdCI6MTUxNjIzOTAyMiwibmFtZSI6IkpvaG4gRG9lIiwic3ViIjoiMmNiMzA3YmEtYmI0Ni00MTk0LTg1NGYtNDc3NDA0NmQ5YzliIn0.ZuwZrXpLRj17vDjOLoOOJ7pr1CN5DnE8Clgn4y-fjNsThis decoded JWT contains these parts:
{ "alg": "HS256", "typ": "JWT"}{ "iat": 1516239022, "exp": 1516242622, "name": "John Doe", "sub": "2cb307ba-bb46-4194-854f-4774046d9c9b"}The following JWT is signed with secret secret:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1MTYyNDI2MjIsImlhdCI6MTUxNjIzOTAyMiwibmFtZSI6IkpvaG4gRG9lIiwic3ViIjoiMmNiMzA3YmEtYmI0Ni00MTk0LTg1NGYtNDc3NDA0NmQ5YzliIn0.gTgBr6lotpAxs4M46PgUXrjhIN5-gYG4HffKSEIB6YsHow to test?
Section titled “How to test?”If you want to test if your server is vulnerable to the “JWT Weak Secret” vulnerability, you can use the crack command:
jwtop crack [token] --url [url]To attempt to brute-force the secret key of a token, use the exploit weaksecret command:
jwtop exploit weaksecret [token]You can also provide a custom wordlist:
jwtop exploit weaksecret [token] --wordlist my-wordlist.txtWhat is the impact?
Section titled “What is the impact?”The impact of using a weak secret key to sign a JWT is significant. Attackers can easily find the secret key and modify the token’s claims and content without detection. This can lead to unauthorized access, data tampering, and other security risks.
How to remediate?
Section titled “How to remediate?”Ensure to change the secret key to a strong and unique value. Use a secure random generator to create the secret key and store it securely. Rotate the secret key periodically to mitigate the risk of unauthorized access and data tampering.