Claim misuse

Header claims misuse can occur when the header information is tampered with or manipulated inappropriately.

JSON Web Key URL (JKU)

JKU is a part of the JWT specification that allows the JWT consumer to obtain the public key needed to verify the token’s signature dynamically. It is a URL that points to a JSON Web Key Set (JWKS) endpoint, which contains the public keys used by the issuer to sign the JWTs.

An example JKU would look like this:

{
"jku": "https://example.com/.well-known/jwks.json"
}

Vulnerability

JWT claim misuse with JKU The vulnerability arises when a JWT is signed with a weak or predictable key and the server provides a JKU that points to an external location hosting the public key.

Attackers can exploit this vulnerability by crafting a JWT with malicious claims and using the jku to trick the server into verifying the JWT using a weak or manipulated key. It all depends on the library being used inside the application. Some libraries block downloading from a random server by default and use a list of allowed URLs. However, filtering on URLs is quite challenging to implement, and this can be bypassed as well.

Exploitation Steps:

• Identify the JKU Endpoint: The attacker first needs to find the JKU endpoint in the application’s JWT handling logic or in any exposed configurations.

• Generate a malicious JWT: craft a JWT with malicious claims, altering or adding claims to gain unauthorized access or escalate privileges.

• Sign the JWT: Using your own private key sign the malicious JWT.

• Send the JWT to the server: Send the crafted JWT with the malicious claims to the server.

• Server verification: The server, upon receiving the JWT, validates the signature using the public key obtained from the JWKS endpoint.

• Successful attack: If the server uses the weak or manipulated key to verify the JWT, the attacker gains unauthorized access or executes their intended exploit.

Mitigation

To prevent JWT claim misuse with JKU, developers and security professionals should follow these best practices:

• Whitelist: utilize a whitelist to verify whether the received JKU from the token is present in the allowed list. Be careful when comparing urls by using String comparison functions, use a whitelist instead and validate the entire url from the jku.

• Static keys: Avoid using JKU with public keys hosted on external endpoints. Instead, use static keys that are securely managed and updated regularly.

• Signature verification: Ensure that the server verifies the JWT signature correctly and rejects tokens with invalid or manipulated signatures.

• JWT validation: Carefully validate and sanitize all JWT claims to prevent injection attacks and unauthorized access.

• Audit and monitoring: Regularly audit JWT usage, monitor for suspicious activity, and implement anomaly detection mechanisms.

• Security testing: Regularly perform security testing, including penetration testing and code reviews, to identify and remediate potential vulnerabilities.