FixVibe
Covered by FixVibehigh

JWT Security: Risks of Unsecured Tokens and Missing Claim Validation

JSON Web Tokens (JWTs) provide a standard for transferring claims, but security relies on rigorous validation. Failure to verify signatures, expiration times, or intended audiences allows attackers to bypass authentication or replay tokens.

CWE-347CWE-287CWE-613

Attacker Impact

Improper JWT validation allows attackers to bypass authentication mechanisms by forging claims or reusing expired tokens [S1]. If a server accepts tokens without a valid signature, an attacker can modify the payload to escalate privileges or impersonate any user [S1]. Furthermore, failing to enforce the expiration (exp) claim allows an attacker to use a compromised token indefinitely [S1].

Root Cause

A JSON Web Token (JWT) is a JSON-based structure used to represent claims that are digitally signed or integrity protected [S1]. Security failures typically stem from two primary implementation gaps:

  • Acceptance of Unsecured JWTs: If a service does not strictly enforce signature verification, it may process "Unsecured JWTs" where the signature is absent and the algorithm is set to "none" [S1]. In this scenario, the server trusts the claims in the payload without verifying their integrity [S1].
  • Missing Claim Validation: The exp (expiration time) claim identifies the time on or after which the JWT must not be accepted for processing [S1]. The aud (audience) claim identifies the intended recipients of the token [S1]. If these are not checked, the server may accept tokens that are expired or were intended for a different application [S1].

Concrete Fixes

  • Enforce Cryptographic Signatures: Configure the application to reject any JWT that does not use a pre-approved, strong signing algorithm (such as RS256).
  • Validate Expiration: Implement a mandatory check to ensure the current date and time are before the time specified in the exp claim [S1].
  • Verify Audience: Ensure the aud claim contains a value identifying the local service; if the service is not identified in the aud claim, the token must be rejected [S1].
  • Prevent Replay: Use the jti (JWT ID) claim to assign a unique identifier to each token, allowing the server to track and reject reused tokens [S1].

Detection Strategy

Vulnerabilities in JWT handling can be identified by analyzing the token structure and server response behavior:

  • Header Inspection: Checking the alg (algorithm) header to ensure it is not set to "none" and uses expected cryptographic standards [S1].
  • Claim Verification: Confirming the presence and validity of the exp (expiration) and aud (audience) claims within the JSON payload [S1].
  • Validation Testing: Testing if the server correctly rejects tokens that have expired according to the exp claim or are intended for a different audience as defined by the aud claim [S1].