Detections
Analytics

JSON Web Token Weak Secret

high Web App Scanning Plugin ID 112697

Language:

Synopsis

JSON Web Token Weak Secret

Description

JSON Web Tokens can be signed to protect against data tampering. By using an asymmetric or a symmetric signing algorithm, the application computes a signature of the token data which will be verified during token decoding to ensure its integrity. When using a symmetric algorithm, the signature is created from the chosen HMAC function along with a secret key.

Using weak keys makes it vulnerable to bruteforce attacks, allowing tokens to be manipulated and signed on behalf of the application. Depending on the token usage, attackers could leverage this vulnerability to forge valid tokens and impersonate other users, or gain further privileges.

Solution

The secret key used to sign the JSON Web Tokens in the application must be stronger (long and random) to prevent it from being retrieved with a bruteforce attack. Note that the JSON Web Algorithms standard (RFC 7518) defines the minimum key length to be equal to the size (in bits) of the hash function used with the HMAC algorithm.

See Also

https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html

https://medium.com/101-writeups/hacking-json-web-token-jwt-233fe6c862e6

https://medium.com/swlh/hacking-json-web-tokens-jwts-9122efe91e4a

https://research.securitum.com/jwt-json-web-token-security/

Plugin Details

Severity: High

ID: 112697

Type: remote

Published: 2/11/2021

Updated: 1/3/2024

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: High

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS Score Source: Tenable

Reference Information