Documentation
Broken Authentication
JWT Weak Secret

JWT Weak Secret

Severity High
CVEs
Classifications
OWASP Category OWASP API2:2023 Broken Authentication (opens in a new tab)

A vulnerability occurs when a JSON Web Token (JWT) is signed with a common, a well-known, or a weak secret. In this scenario, the token lacks proper cryptographic protection, making it susceptible to manipulation. Attackers can find the secret then modify the token's claims and content without detection, potentially leading to unauthorized access and data tampering.

What are the different scenarios?

  • Common Secret: The secret key used to sign the JWT is a common value, such as secret, password, or 123456. Attackers can easily guess (brute-force) the secret key.
  • Well-Known Secret: The secret key used to sign the JWT is a well-known value or a default value This can happen when you use a default secret key provided by a product, library or framework.. Attackers can find the secret key in public repositories, forums, or documentation.
  • Weak Secret: The secret key used to sign the JWT is a weak value, such as a short guessable string such as security2024. Attackers can use dictionary attacks, rainbow tables, or other brute-force techniques to find the secret key.

Example

Here is a valid JWT signed with HS256 algorithm and a robust secret key:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1MTYyNDI2MjIsImlhdCI6MTUxNjIzOTAyMiwibmFtZSI6IkpvaG4gRG9lIiwic3ViIjoiMmNiMzA3YmEtYmI0Ni00MTk0LTg1NGYtNDc3NDA0NmQ5YzliIn0.ZuwZrXpLRj17vDjOLoOOJ7pr1CN5DnE8Clgn4y-fjNs

This decoded JWT contains, this parts:

{
  "alg": "HS256",
  "typ": "JWT"
}
{
  "iat": 1516239022,
  "exp": 1516242622,
  "name": "John Doe",
  "sub": "2cb307ba-bb46-4194-854f-4774046d9c9b"
}

The following JWT is signed with secret secret:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1MTYyNDI2MjIsImlhdCI6MTUxNjIzOTAyMiwibmFtZSI6IkpvaG4gRG9lIiwic3ViIjoiMmNiMzA3YmEtYmI0Ni00MTk0LTg1NGYtNDc3NDA0NmQ5YzliIn0.gTgBr6lotpAxs4M46PgUXrjhIN5-gYG4HffKSEIB6Ys

How to test?

If you want to test only the "JWT Null Signature" vulnerability, you can use the following command:

vulnapi scan <curl|openapi|graphql> --scans jwt.weak_secret [url]

VulnAPI supports scanning against various types of other JWT vulnerabilities as well.

What is the impact?

The impact of using a weak secret key to sign a JWT is significant. Attackers can easily find the secret key and modify the token's claims and content without detection. This can lead to unauthorized access, data tampering, and other security risks.

How to remediate?

Ensure to change the secret key to a strong and unique value. Use a secure random generator to create the secret key and store it securely. Rotate the secret key periodically to mitigate the risk of unauthorized access and data tampering.