JSON Web Tokens (JWTs for short) are the new standard for transmitting identity information in the digital age.
JWTs are JSON objects that act as an identifier for your user or application. They’re used to authenticate users and securely transmit secrets as part of an API, application, or service. They can contain claims that help prove to other parties that a particular person, user, or device belongs to the verified entity identified by the token.
In this blog post, we will explore what JWT Injections are, why they matter and how you can mitigate their impact on your organization’s security program.
What is a JWT Injection, and Why is It Happening?
JWT injection is an input modification attack that happens if the integrity of JWT tokens is compromised. If malicious input (the injection payload) is used to create a token, it may fail or produce unexpected results, such as vulnerability exploitation or data breach. The consequence of this type of mistake, therefore, can be significant.
For instance, imagine that you are an online retailer and your system creates a JWT for every user who visits your website. You have user information like username and latest payment amount, among other data. An attacker modifies the latest payment amount by JWT injection and adding NoSQL boolean query like “$ne”: -1 and now represents an entirely different user category with an incredibly high bonus account balance.
JWT Injections are risky when someone can intercept the information sent in a JWT and inject the malicious payload inside. This can happen when faulty (or non-existent) integrity checks on the API side accept the modified token, for instance using a weak signature or encryption mechanism.
How are JWT Injections Critical?
JWTs are often used with OAuth 2.0, the most popular API authentication protocol, which makes it widely implemented across the Internet.
JWT Injections are hard to detect and mitigate for several reasons. First, security solutions such as WAF, WAAP, and IDS don’t provide JWT decoding/parsing capabilities to block injection attacks inside them. In addition, JWT tokens themselves look like regular tokens/sessions at first glance since they appear properly encoded (look at the token in a black frame):
But vulnerable API reacts to them differently:
We also highly recommend looking at the reference links for more examples of JWT injections.
Injections remain the most dangerous and common threat for APIs in our latest API vulnerability report, and JWT injections are one of the subtypes. Unlike usual OWASP Injections, JWT Injections are hard to detect since the data with malicious payloads are encoded. That’s why choosing the right solution for API security with JWT decoding capabilities is crucial.
To learn how to improve your API threat prevention capabilities, book a demo with one of our API security experts.
We recommend reading the following red team articles about JWT injections practices:
- Red Team guide https://kurtikleiton.medium.com/json-web-token-exploitation-for-red-team-580eea1fe46a
- Defcon presentation https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20workshops/DEF%20CON%2026%20-%20Workshop-Louis-Nyfenegger-and-Luke-Jahnke-JWAT-Attacking-JSON-WEB-TOKENS.pdf
- Dovecot CVE https://dovecot.org/pipermail/dovecot-news/2021-June/000461.html
- Paxstore CVE https://www.cve.org/CVERecord?id=CVE-2020-36124