JWT Signature Bypass via kid SQL injection
Description
This vulnerability occurs when a JSON Web Token (JWT) implementation uses the 'kid' (Key ID) header parameter to retrieve cryptographic keys from a database without proper input validation, allowing SQL injection attacks. An attacker can exploit this flaw to manipulate the key retrieval process and forge valid JWT tokens with arbitrary payloads, completely bypassing the authentication mechanism. This represents a critical failure in both input validation and secure token verification practices.
Remediation
To remediate this vulnerability, implement the following measures:
1. Eliminate SQL Injection: Use parameterized queries or prepared statements when retrieving keys based on the 'kid' parameter. Never concatenate user input directly into SQL queries.
// Vulnerable code:
String query = "SELECT key FROM keys WHERE kid = '" + kidValue + "'";
// Secure code:
PreparedStatement stmt = conn.prepareStatement("SELECT key FROM keys WHERE kid = ?");
stmt.setString(1, kidValue);
ResultSet rs = stmt.executeQuery();2. Validate Input: Implement strict validation on the 'kid' parameter. Use an allowlist of acceptable key identifiers and reject any values that don't match expected formats (e.g., UUIDs or numeric IDs).
3. Implement Secure Error Handling: When key retrieval fails or returns invalid data, reject the token immediately rather than falling back to insecure defaults. Log these attempts for security monitoring.
4. Use Secure Key Management: Consider storing key identifiers in a non-SQL data structure or using a key management service (KMS) that doesn't require database queries based on user-controlled input.
5. Apply Defense in Depth: Implement additional JWT validation checks including issuer verification, expiration time validation, and audience claims verification to provide multiple layers of security.