JWT Signature Verification Bypass

ID

javascript.jwt_signature_verification_bypass

Severity

high

Resource

Cryptography

Language

JavaScript

Tags

CWE:347, NIST.SP.800-53, OWASP:2021:A3, OWASP:2021:A7, PCI-DSS:6.5.10, PCI-DSS:6.5.6, PCI-DSS:6.5.8

Description

Improper verification of JWT cryptographic signature.

Rationale

JWT signature verification bypass refers to a scenario where a JSON Web Token, designed to be a secure way to transmit information between parties, is not properly checked for a valid signature.

This can allow attackers to forge tokens, gaining unauthorized access to protected resources or services.

In JavaScript, JWT handling is often done using libraries like jsonwebtoken. For example, consider the following sample code using the jsonwebtoken library:

const jwt = require('jsonwebtoken');

function verifyToken(token) {
    try {
        return jwt.verify(token, null, { algorithms: ['none'] }); // FLAW
    } catch (error) {
        throw new Error('Invalid token');
    }
}

In the example above, the signature is not verified with the none algorithm.

Remediation

To remediate the JWT signature verification bypass, ensure that you are properly configuring the JWT parser in use, and always verifying the token signature with a trusted public key or secret.

Furthermore, make sure your JWT libraries are updated to the latest versions, which often address security vulnerabilities and provide enhanced capabilities. Additionally, it’s important to apply similar best practices across all environments where JWTs are used or processed to maintain consistent security assurances.

References

  • CWE-347 : Improper Verification of Cryptographic Signature