Aller au contenu

JWT Weak Secret

Ce contenu n’est pas encore disponible dans votre langue.

SeverityHigh
CVEs
Classifications
OWASP CategoryOWASP API2:2023 Broken Authentication

A vulnerability occurs when a JSON Web Token (JWT) is signed with a common, a well-known, or a weak secret. In this scenario, the token lacks proper cryptographic protection, making it susceptible to manipulation. Attackers can find the secret then modify the token’s claims and content without detection, potentially leading to unauthorized access and data tampering.

  • Common Secret: The secret key used to sign the JWT is a common value, such as secret, password, or 123456. Attackers can easily guess (brute-force) the secret key.
  • Well-Known Secret: The secret key used to sign the JWT is a well-known value or a default value. This can happen when you use a default secret key provided by a product, library or framework. Attackers can find the secret key in public repositories, forums, or documentation.
  • Weak Secret: The secret key used to sign the JWT is a weak value, such as a short guessable string such as security2024. Attackers can use dictionary attacks, rainbow tables, or other brute-force techniques to find the secret key.

Here is a valid JWT signed with HS256 algorithm and a robust secret key:

Terminal window
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1MTYyNDI2MjIsImlhdCI6MTUxNjIzOTAyMiwibmFtZSI6IkpvaG4gRG9lIiwic3ViIjoiMmNiMzA3YmEtYmI0Ni00MTk0LTg1NGYtNDc3NDA0NmQ5YzliIn0.ZuwZrXpLRj17vDjOLoOOJ7pr1CN5DnE8Clgn4y-fjNs

This decoded JWT contains these parts:

{
"alg": "HS256",
"typ": "JWT"
}
{
"iat": 1516239022,
"exp": 1516242622,
"name": "John Doe",
"sub": "2cb307ba-bb46-4194-854f-4774046d9c9b"
}

The following JWT is signed with secret secret:

Terminal window
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1MTYyNDI2MjIsImlhdCI6MTUxNjIzOTAyMiwibmFtZSI6IkpvaG4gRG9lIiwic3ViIjoiMmNiMzA3YmEtYmI0Ni00MTk0LTg1NGYtNDc3NDA0NmQ5YzliIn0.gTgBr6lotpAxs4M46PgUXrjhIN5-gYG4HffKSEIB6Ys

If you want to test if your server is vulnerable to the “JWT Weak Secret” vulnerability, you can use the crack command:

Terminal window
jwtop crack [token] --url [url]

To attempt to brute-force the secret key of a token, use the exploit weaksecret command:

Terminal window
jwtop exploit weaksecret [token]

You can also provide a custom wordlist:

Terminal window
jwtop exploit weaksecret [token] --wordlist my-wordlist.txt

The impact of using a weak secret key to sign a JWT is significant. Attackers can easily find the secret key and modify the token’s claims and content without detection. This can lead to unauthorized access, data tampering, and other security risks.

Ensure to change the secret key to a strong and unique value. Use a secure random generator to create the secret key and store it securely. Rotate the secret key periodically to mitigate the risk of unauthorized access and data tampering.