Skip to main content

JWT Audience Cross Service Relay Attack

OWASP CategoryOWASP API2:2023 Broken Authentication

A vulnerability arises when a JSON Web Token (JWT) is signed by the same service but doesn't verify the issuer (the source of the token) and the audience (the intended recipient). This can lead to security risks, as it means an attacker could create a forged JWT with the same service signature and manipulate the issuer and audience fields. Without proper verification, the service may accept the forged token, potentially granting unauthorized access or compromising the system's security.


TODO: write an example

How to test?

TODO: VulnAPI Command

What is the impact?

TODO: write the impact

Services impacted

TODO: list all the services used to create a token but using the same keys

How to remediate?

TODO: write the remediation