Detections
Analytics
JSON Web Token Weak Secret
high Web App Scanning Plugin ID 112697
Language:
Synopsis
JSON Web Token Weak SecretDescription
JSON Web Tokens can be signed to protect against data tampering. By using an asymmetric or a symmetric signing algorithm, the application computes a signature of the token data which will be verified during token decoding to ensure its integrity. When using a symmetric algorithm, the signature is created from the chosen HMAC function along with a secret key.Using weak keys makes it vulnerable to bruteforce attacks, allowing tokens to be manipulated and signed on behalf of the application. Depending on the token usage, attackers could leverage this vulnerability to forge valid tokens and impersonate other users, or gain further privileges.
Solution
The secret key used to sign the JSON Web Tokens in the application must be stronger (long and random) to prevent it from being retrieved with a bruteforce attack. Note that the JSON Web Algorithms standard (RFC 7518) defines the minimum key length to be equal to the size (in bits) of the hash function used with the HMAC algorithm.See Also
https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html
https://medium.com/101-writeups/hacking-json-web-token-jwt-233fe6c862e6
https://medium.com/swlh/hacking-json-web-tokens-jwts-9122efe91e4a
Plugin Details
Severity: High
ID: 112697
Type: remote
Family: Web Applications
Published: 2/11/2021
Updated: 7/1/2024
Scan Template: api, basic, full, pci, scan
Risk Information
VPR
Risk Factor: Low
Score: 3.6
CVSS v2
Risk Factor: High
Base Score: 7.8
Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N
CVSS Score Source: Tenable
CVSS v3
Risk Factor: High
Base Score: 7.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS Score Source: Tenable
CVSS v4
Risk Factor: High
Base Score: 8.7
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
CVSS Score Source: Tenable