Documentation
Broken Authentication
JWT Blank Secret

JWT Blank Secret

SeverityHigh
CVEs
Classifications

CWE-287: Improper Authentication (opens in a new tab)

OWASP Category

OWASP API2:2023 Broken Authentication (opens in a new tab)

A vulnerability occurs when a JSON Web Token (JWT) is signed with an empty secret. In this scenario, the token lacks proper cryptographic protection, making it susceptible to manipulation. Attackers can modify the token's claims and content without detection, potentially leading to unauthorized access and data tampering.

Example

Here is a valid JWT signed with HS256 algorithm:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1MTYyNDI2MjIsImlhdCI6MTUxNjIzOTAyMiwibmFtZSI6IkpvaG4gRG9lIiwic3ViIjoiMmNiMzA3YmEtYmI0Ni00MTk0LTg1NGYtNDc3NDA0NmQ5YzliIn0.SCC35SSgMSMr0kV1i_TuPAhiSGtsC1cFGCfvaus5GyU

This decoded JWT contains, this parts:

{
  "alg": "HS256",
  "typ": "JWT"
}
{
  "iat": 1516239022,
  "exp": 1516242622,
  "name": "John Doe",
  "sub": "2cb307ba-bb46-4194-854f-4774046d9c9b"
}

The following JWT is signed with an empty secret:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1MTYyNDI2MjIsImlhdCI6MTUxNjIzOTAyMiwibmFtZSI6IkpvaG4gRG9lIiwic3ViIjoiMmNiMzA3YmEtYmI0Ni00MTk0LTg1NGYtNDc3NDA0NmQ5YzliIn0.SCC35SSgMSMr0kV1i_TuPAhiSGtsC1cFGCfvaus5GyU

How to test?

If you want to test only the "JWT Blank Secret" vulnerability, you can use the following command:

vulnapi scan curl [url] -H "Authorization: Bearer eyJhbGciOiJSUzUxMiI..." --scans jwt.blank_secret

VulnAPI supports scanning against various types of other JWT vulnerabilities as well.

What is the impact?

Signing a JWT with a blank secret has a significant impact on the security of the token. A blank secret means that there is no secret key used to sign the token, making it vulnerable to tampering and unauthorized access.

By signing a JWT with a blank secret, anyone with access to the token can modify its contents without detection. This can lead to various security risks, such as impersonation, data tampering, and unauthorized access to protected resources.

How to remediate?

To remediate the JWT blank secret vulnerability, ensure that all JWTs are signed with a secure secret key. Use strong cryptographic algorithms and keep the secret key confidential to prevent unauthorized access and tampering of the tokens.