JWT Weak Secret

Severity	High
CVEs	CVE-2023-27172 CVE-2023-46943
Classifications	CWE-287: Improper Authentication CWE-307: Improper Restriction of Excessive Authentication Attempts CWE-798: Use of Hard-coded Credentials
OWASP Category	OWASP API2:2023 Broken Authentication

A vulnerability occurs when a JSON Web Token (JWT) is signed with a common, a well-known, or a weak secret. In this scenario, the token lacks proper cryptographic protection, making it susceptible to manipulation. Attackers can find the secret then modify the token's claims and content without detection, potentially leading to unauthorized access and data tampering.

What are the different scenarios?

Common Secret: The secret key used to sign the JWT is a common value, such as secret, password, or 123456. Attackers can easily guess (brute-force) the secret key.
Well-Known Secret: The secret key used to sign the JWT is a well-known value or a default value This can happen when you use a default secret key provided by a product, library or framework.. Attackers can find the secret key in public repositories, forums, or documentation.
Weak Secret: The secret key used to sign the JWT is a weak value, such as a short guessable string such as security2024. Attackers can use dictionary attacks, rainbow tables, or other brute-force techniques to find the secret key.

Example

Here is a valid JWT signed with HS256 algorithm and a robust secret key:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1MTYyNDI2MjIsImlhdCI6MTUxNjIzOTAyMiwibmFtZSI6IkpvaG4gRG9lIiwic3ViIjoiMmNiMzA3YmEtYmI0Ni00MTk0LTg1NGYtNDc3NDA0NmQ5YzliIn0.ZuwZrXpLRj17vDjOLoOOJ7pr1CN5DnE8Clgn4y-fjNs

This decoded JWT contains, this parts:

{
  "alg": "HS256",
  "typ": "JWT"
}

{
  "iat": 1516239022,
  "exp": 1516242622,
  "name": "John Doe",
  "sub": "2cb307ba-bb46-4194-854f-4774046d9c9b"
}

The following JWT is signed with secret secret:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1MTYyNDI2MjIsImlhdCI6MTUxNjIzOTAyMiwibmFtZSI6IkpvaG4gRG9lIiwic3ViIjoiMmNiMzA3YmEtYmI0Ni00MTk0LTg1NGYtNDc3NDA0NmQ5YzliIn0.gTgBr6lotpAxs4M46PgUXrjhIN5-gYG4HffKSEIB6Ys

How to test?

If you want to test only the "JWT Null Signature" vulnerability, you can use the following command:

echo "vulnapi scan curl [url] -H "Authorization: Bearer eyJhbGciOiJSUzUxMiI..." --scans jwt.weak_secret

VulnAPI supports scanning against various types of other JWT vulnerabilities as well.

What is the impact?

The impact of using a weak secret key to sign a JWT is significant. Attackers can easily find the secret key and modify the token's claims and content without detection. This can lead to unauthorized access, data tampering, and other security risks.

How to remediate?

Ensure to change the secret key to a strong and unique value. Use a secure random generator to create the secret key and store it securely. Rotate the secret key periodically to mitigate the risk of unauthorized access and data tampering.

JWT Null Signature GraphQL Introspection Enabled