Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
JWT Signature Bypass via unvalidated jwk parameter - Vulnerability Database

JWT Signature Bypass via unvalidated jwk parameter

Description

This vulnerability occurs when a JSON Web Token (JWT) implementation fails to properly validate the 'jwk' (JSON Web Key) parameter in the token header. The 'jwk' parameter allows the token itself to specify which public key should be used to verify its signature. Without strict validation, an attacker can embed their own cryptographic key in the token header and use the corresponding private key to sign malicious tokens. This effectively bypasses the signature verification mechanism, allowing attackers to forge valid-looking JWTs with arbitrary claims and payloads.

Remediation

Immediately disable support for the 'jwk' header parameter in your JWT validation logic unless there is an explicit and documented business requirement for it. Most applications should rely on a pre-configured, trusted key store rather than accepting keys embedded in tokens.

If you must support the 'jwk' parameter, implement the following controls:
1. Maintain a whitelist of trusted public keys and verify that any 'jwk' parameter matches an entry in this whitelist
2. Implement key pinning to ensure only known, trusted keys are accepted
3. Add additional validation to verify the key's origin and authenticity

Example secure validation (Node.js with jsonwebtoken library):

const jwt = require('jsonwebtoken');
const fs = require('fs');

// Load trusted public key from secure location
const trustedPublicKey = fs.readFileSync('path/to/trusted-public-key.pem');

function verifyToken(token) {
  try {
    // Decode header without verification to check for jwk parameter
    const decoded = jwt.decode(token, { complete: true });
    
    // Reject tokens with jwk parameter
    if (decoded.header.jwk) {
      throw new Error('jwk parameter not supported');
    }
    
    // Verify using only trusted key from server configuration
    const payload = jwt.verify(token, trustedPublicKey, {
      algorithms: ['RS256'] // Explicitly specify allowed algorithms
    });
    
    return payload;
  } catch (error) {
    throw new Error('Token validation failed: ' + error.message);
  }
}

Review all JWT validation code to ensure signatures are verified against keys from trusted, server-side sources only, never from user-controlled input.

References

JWT (JSON Web Token) (in)security

Related Vulnerabilities

JWT Signature is not Verified High
Common tags: Authentication Bypass Configuration API Broken Auth
JWT Signature Bypass via unvalidated jku parameter High
Common tags: Authentication Bypass API Broken Auth API Misconfiguration
JWT Signature Bypass via kid Path Traversal High
Common tags: Authentication Bypass API Broken Auth API Misconfiguration
JWT Signature Bypass via kid SQL injection High
Common tags: Authentication Bypass API Broken Auth API Misconfiguration
JWT Signature Bypass via unvalidated x5c parameter High
Common tags: Authentication Bypass API Broken Auth API Misconfiguration

Severity

High

Classification

CWE-287
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:L/SA:L

Tags

Authentication Bypass
Configuration
API Broken Auth
API Misconfiguration