JSON Web Token Weak Secret

high Web Application Scanning Plugin ID 112697

Synopsis

JSON Web Token Weak Secret

Description

JSON Web Tokens can be signed to protect against data tampering. By using an asymmetric or a symmetric signing algorithm, the application computes a signature of the token data which will be verified during token decoding to ensure its integrity. When using a symmetric algorithm, the signature is created from the chosen HMAC function along with a secret key.

Using weak keys makes it vulnerable to bruteforce attacks, allowing tokens to be manipulated and signed on behalf of the application. Depending on the token usage, attackers could leverage this vulnerability to forge valid tokens and impersonate other users, or gain further privileges.

Solution

The secret key used to sign the JSON Web Tokens in the application must be stronger (long and random) to prevent it from being retrieved with a bruteforce attack. Note that the JSON Web Algorithms standard (RFC 7518) defines the minimum key length to be equal to the size (in bits) of the hash function used with the HMAC algorithm.

See Also

https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html

https://research.securitum.com/jwt-json-web-token-security/

https://medium.com/swlh/hacking-json-web-tokens-jwts-9122efe91e4a

https://medium.com/101-writeups/hacking-json-web-token-jwt-233fe6c862e6

Plugin Details

Severity: High

ID: 112697

Type: remote

Published: 2/11/2021

Updated: 9/7/2021

Scan Template: api, scan, pci

Risk Information

CVSS v2

Risk Factor: High

Base Score: 7.8

Vector: AV:N/AC:L/Au:N/C:N/I:C/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS Score Source: Tenable

Reference Information