Covered by FixVibehigh

ZXCVFIKIVIBESEG0. JWT Malu: Ngaahi fakatu'utamaki 'o e ngaahi faka'ilonga 'oku 'ikai malu'i mo e fakamo'oni 'o e kole 'oku mole ZXCVFIXVIBESEND ZXCVFIKVIBESEG1. Ko e fakahoko ta'etotonu 'o e JWT, hange ko hono tali 'o e 'ikai ha taha' algorithm pe 'ikai ke fakamo'oni'i 'a e ngaahi fakamatala 'exp' mo e 'aud', 'e lava ke ne taki atu ki he bypass 'o e fakamo'oni. ZXCVFIXVIBESEND ZXCVFIKIVIBESEG2. 'Oku 'omi 'e he JSON Web Tokens (JWTs) ha tu'unga mo'ui ki hono hiki 'o e ngaahi fakamatala, ka 'oku fakafalala 'a e malu ki he fakamo'oni fefeka. Ko e ta'elava ke fakamo'oni'i 'a e ngaahi fakamo'oni hingoa, taimi 'o e 'osi, pe kau fanongo 'oku fakataumu'a ki ai 'oku faka'ata 'e he kau 'ohofi ke nau fakalaka 'i he fakamo'oni pe replay 'a e ngaahi faka'ilonga. ZXCVFIXVIBESEND ZXCVFIKIVIBESEG3. ## Uesia 'o e tokotaha 'ohofi ZXCVFIXVIBESEND ZXCVFIKVIBESEG4. 'Oku faka'ata 'e he fakamo'oni ta'etotonu 'o e ZXCVFIXVIBETOKEN4ZXCV 'a e kau 'ohofi ke nau fakalaka 'i he ngaahi founga fakamo'oni 'aki hono loi'i 'o e ngaahi fakamatala pe toe faka'aonga'i 'a e ngaahi faka'ilonga kuo 'osi 'a e taimi ZXCVFIXVIBETOKEN1ZXCV. Kapau 'oku tali 'e ha seva 'a e ngaahi faka'ilonga 'o 'ikai ha fakamo'oni hingoa 'oku 'aonga, 'e lava ke fakalelei'i 'e ha tokotaha 'ohofi 'a e payload ke fakalahi 'a e ngaahi monū'ia pe fakangalingali ha taha 'oku ne ngaue'aki ZXCVFIXVIBETOKEN2ZXCV. 'Ikai ngata ai, 'Oku faka'ata 'e he 'ikai ke fakahoko 'a e 'osi 'a e taimi (JWT) 'a e taukave ha tokotaha 'ohofi ke ne faka'aonga'i ha faka'ilonga kuo fakafe'atungia'i 'o ta'efakangatangata ZXCVFIXVIBETOKEN3ZXCV. ZXCVFIXVIBESEND ZXCVFIKVIBESEG5. ## Tupu'anga Tefito ZXCVFIXVIBESEND ZXCVFIKVIBESEG6. Ko ha JSON Web Token (ZXCVFIXVIBETOKEN1ZXCV) ko ha fokotu'utu'u 'oku makatu'unga 'i he JSON 'oku faka'aonga'i ke fakafofonga'i 'a e ngaahi fakamatala 'oku fakamo'oni hingoa fakakomipiuta pe malu'i 'e he angatonu JWT. Ko e ngaahi ta'elavame'a malu'i 'oku angamaheni 'aki 'a e tupu mei he ongo ava 'o e fakahoko tefito: ZXCVFIXVIBESEND ZXCVFIKVIBESEG7. 1. Tali 'o e JWTs 'oku 'ikai malu'i: Kapau 'oku 'ikai ke fakahoko fefeka 'e ha sevesi 'a e fakamo'oni 'o e fakamo'oni hingoa, 'e lava ke ne fakahoko 'a e "JWTs 'oku 'ikai malu'i" 'a ia 'oku 'ikai ke 'i ai 'a e fakamo'oni hingoa pea 'oku fokotu'u 'a e algorithm ki he "'ikai ha taha" JWT. 'I he tu'unga ko 'eni, 'Oku falala 'a e seva ki he ngaahi fakamatala 'i he payload 'o 'ikai ke fakamo'oni'i 'enau angatonu ZXCVFIXVIBETOKEN1ZXCV. ZXCVFIXVIBESEND ZXCVFIKIVIBESEG8. 2. Fakamo'oni'i 'o e Tohi Tangi 'oku Mole: 'Oku faka'ilonga'i 'e he JWT (taimi 'o e 'osi) 'a e taimi 'i he pe hili ia kuo pau ke 'oua na'a tali 'a e ZXCVFIXVIBETOKEN5ZXCV ki hono ngaue'aki 'o e ZXCVFIXVIBETOKEN2ZXCV. 'Oku faka'ilonga'i 'e he ZXCVFIXVIBETOKEN1ZXCV (kau fanongo) 'a e kau ma'u 'oku fakataumu'a ki ai 'a e faka'ilonga ZXCVFIXVIBETOKEN3ZXCV. Kapau 'oku 'ikai ke vakai'i 'a e ngaahi me'a ni, 'e lava ke tali 'e he seva 'a e ngaahi faka'ilonga 'oku 'osi 'a e taimi pe na'e fakataumu'a ki ha polokalama kehe ZXCVFIXVIBETOKEN4ZXCV. ZXCVFIXVIBESEND ZXCVFIKVIBESEG9. ## Ngaahi Fakalelei'i Sima ZXCVFIXVIBESEND ZXCVFAKATOKANGAVIBESEG10 1. Fakamālohi'i 'a e ngaahi fakamo'oni hingoa fakapulipuli: Fakalelei'i 'a e polokalama ke fakafisinga'i ha JWT 'oku 'ikai ke ne faka'aonga'i ha tomu'a fakangofua, fakamo'oni hingoa malohi 'a e algorithm (hange ko e RS256). ZXCVFIXVIBESEND ZXCVFAKATOKANGAVIBESEG11 2. Fakamo'oni'i 'a e 'osi: Fakahoko ha sieke fakangatangata ke fakapapau'i 'oku kimu'a 'a e 'aho mo e taimi lolotonga 'i he taimi 'oku fakahaa'i 'i he JWT kole ZXCVFIXVIBETOKEN1ZXCV. ZXCVFIXVIBESEND ZXCVFAKATOKANGAVIBESEG12 3. Fakamo'oni'i 'a e kau fanongo: Fakapapau'i 'oku 'i he kole JWT ha mahu'inga 'oku ne faka'ilonga'i 'a e sevesi fakalotofonua; kapau 'oku 'ikai ke faka'ilonga'i 'a e sevesi 'i he kole 'a e ZXCVFIXVIBETOKEN1ZXCV, kuo pau ke fakafisinga'i 'a e faka'ilonga ZXCVFIXVIBETOKEN2ZXCV. ZXCVFIXVIBESEND ZXCVFAKATOKANGAVIBESEG13 4. Ta'ofi 'a e Toe Va'inga: Faka'aonga'i 'a e JWT (ZXCVFIXVIBETOKEN2ZXCV ID) 'a e fakamatala ke vahe'i ha faka'ilonga makehe ki he faka'ilonga takitaha, 'o faka'ata 'a e seva ke muimui'i mo fakafisinga'i 'a e ngaahi faka'ilonga kuo toe faka'aonga'i ZXCVFIXVIBETOKEN1ZXCV. ZXCVFIXVIBESEND ZXCVFIKVIPESEG14 ## Founga ki hono 'ilo'i ZXCVFIXVIBESEND ZXCVFIKVIPESEG15 'E lava ke 'ilo'i 'a e ngaahi vaivai'anga 'i he JWT to'oto'o 'aki hono 'analaiso 'a e fokotu'utu'u 'o e faka'ilonga mo e 'ulungaanga tali 'o e server: ZXCVFIXVIBESEND ZXCVFAKATOKANGAVIBESEG16 * Sivi 'o e 'ulu'i tohi: Sivi'i 'a e 'ulu'i tohi 'o e JWT (algorithm) ke fakapapau'i 'oku 'ikai ke seti ia ki he "'ikai ha taha" pea 'oku ne faka'aonga'i 'a e ngaahi tu'unga mo'ui fakapulipuli 'oku 'amanaki ki ai ZXCVFIXVIBETOKEN1ZXCV. ZXCVFIXVIBESEND ZXCVFAKATOKANGAVIBESEG17 * Fakamo'oni'i 'o e kole: Fakapapau'i 'a e 'i ai mo e mo'oni 'o e JWT ('osi) mo e ZXCVFIXVIBETOKEN1ZXCV (kau fanongo) ngaahi kole 'i loto 'i he JSON payload ZXCVFIXVIBETOKEN2ZXCV. ZXCVFIXVIBESEND ZXCVFAKATOKANGAVIBESEG18 * Sivi Fakamo'oni: Sivi kapau 'oku fakafisinga'i totonu 'e he seva 'a e ngaahi faka'ilonga kuo 'osi 'a e taimi 'o fakatatau ki he JWT 'a e fakamatala pe 'oku fakataumu'a ki ha kau fanongo kehe 'o hange ko ia 'oku fakamatala'i 'e he fakamatala 'a e ZXCVFIXVIBETOKEN1ZXCV ZXCVFIXCVVIBETOKEN2XZZZ.

JSON Web Tokens (JWTs) provide a standard for transferring claims, but security relies on rigorous validation. Failure to verify signatures, expiration times, or intended audiences allows attackers to bypass authentication or replay tokens.

CWE-347CWE-287CWE-613

Attacker Impact

Improper JWT validation allows attackers to bypass authentication mechanisms by forging claims or reusing expired tokens [S1]. If a server accepts tokens without a valid signature, an attacker can modify the payload to escalate privileges or impersonate any user [S1]. Furthermore, failing to enforce the expiration (exp) claim allows an attacker to use a compromised token indefinitely [S1].

Root Cause

A JSON Web Token (JWT) is a JSON-based structure used to represent claims that are digitally signed or integrity protected [S1]. Security failures typically stem from two primary implementation gaps:

Acceptance of Unsecured JWTs: If a service does not strictly enforce signature verification, it may process "Unsecured JWTs" where the signature is absent and the algorithm is set to "none" [S1]. In this scenario, the server trusts the claims in the payload without verifying their integrity [S1].
Missing Claim Validation: The exp (expiration time) claim identifies the time on or after which the JWT must not be accepted for processing [S1]. The aud (audience) claim identifies the intended recipients of the token [S1]. If these are not checked, the server may accept tokens that are expired or were intended for a different application [S1].

Concrete Fixes

Enforce Cryptographic Signatures: Configure the application to reject any JWT that does not use a pre-approved, strong signing algorithm (such as RS256).
Validate Expiration: Implement a mandatory check to ensure the current date and time are before the time specified in the exp claim [S1].
Verify Audience: Ensure the aud claim contains a value identifying the local service; if the service is not identified in the aud claim, the token must be rejected [S1].
Prevent Replay: Use the jti (JWT ID) claim to assign a unique identifier to each token, allowing the server to track and reject reused tokens [S1].

Detection Strategy

Vulnerabilities in JWT handling can be identified by analyzing the token structure and server response behavior:

Header Inspection: Checking the alg (algorithm) header to ensure it is not set to "none" and uses expected cryptographic standards [S1].
Claim Verification: Confirming the presence and validity of the exp (expiration) and aud (audience) claims within the JSON payload [S1].
Validation Testing: Testing if the server correctly rejects tokens that have expired according to the exp claim or are intended for a different audience as defined by the aud claim [S1].