Summary
- The third part of a series on JWT security looks at a flaw that allows an attacker to gain full admin access to a website by forging a JWT.
- The attack works by injecting a public key into the JWT header, which is then signed with the corresponding private key.
- The server accepts the token without question, as it thinks it is verifying the token with the public key it contains.
- The researcher was able to gain admin access and delete a test user as a result.
- The flaw lies in the fact that the server blindly trusts what the client is sending, versus validating JWTs against known, server-side keys.
- To mitigate such an attack, servers should validate only against known, static keys, and should never trust keys from token headers.
By Aditya Bhatt
Original Article