In this post we review 3 methods of JWT attacks.
Why should we know about these attacks? TO better understand how to protected and test our servers and applications.
JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties.
From https://jwt.io/
The JWT includes 3 sections:
1. The header, which contains the algorithm used for signature.
2. The claims - a JSON of specifications about the logged-in user.
3. A signature of #1 + #2
Let's review 3 types of authorization attacks based on this.
1. Omit The Authorization Header
The simplest attack: an attack tries accessing the API without authorization header. This can work if for some reason the programmer had forgotten to add authorization validation on the API implementation.
To check this, we use an existing valid request, remove the Authorization header, and resent it.
2. Self Signed JWT
JWT section #3 is the JWT signature which ensures the JWT was created by an authorized entity. In most servers framework validation of the signature can be disabled for debugging purposes. This can be done globally for the server and specificall for an API. crutial
To check this, we use an existing valid request, decode the JWT token from the Authorization header, and sign it with a random secret.
3. Use The "None" Algorithm
The application server and API implementation must restrict the signing algorithm to the only one the server is using. Failure to do this due to debuggin purposes of due to a configuration problem would enable the "None" attack.
To check this, we use an existing valid request, decode the JWT token from the Authorization header, and sign without a secret while using the None algorithm.
No comments:
Post a Comment