Unvalidated JWT jku parameter
Description
The application fails to validate the 'jku' (JWK Set URL) parameter in JSON Web Token headers. This parameter specifies the URL where the server should retrieve the public keys used to verify the token's signature. When unvalidated, an attacker can point this parameter to a malicious server hosting their own key set, enabling them to forge valid tokens with arbitrary claims. This vulnerability also creates an opportunity for Server-Side Request Forgery (SSRF) attacks, as the application will make requests to attacker-controlled URLs.
Remediation
Implement strict validation of the 'jku' parameter to prevent token forgery and SSRF attacks:
1. Create an allowlist of trusted JWKS URLs - Only permit URLs from domains you control and trust. Reject any tokens with 'jku' values not on this list.
2. Validate the complete URL - Check the full URL including protocol, domain, and path. Do not rely on partial matching that could be bypassed with URL manipulation techniques.
3. Disable HTTP redirects - Configure your HTTP client to reject redirects when fetching JWKS files to prevent redirect-based bypasses.
4. Prefer alternative approaches - Consider using the 'kid' (Key ID) parameter with locally cached keys instead of 'jku', or remove support for 'jku' entirely if not required.
Example validation implementation:
// Example in Node.js
const ALLOWED_JKU_URLS = [
'https://your-domain.com/.well-known/jwks.json',
'https://trusted-provider.com/keys/jwks.json'
];
function validateJku(jku) {
if (!jku) return false;
// Exact match against allowlist
if (!ALLOWED_JKU_URLS.includes(jku)) {
throw new Error('JKU URL not in allowlist');
}
// Ensure HTTPS protocol
if (!jku.startsWith('https://')) {
throw new Error('JKU must use HTTPS');
}
return true;
}
// When fetching JWKS
const response = await fetch(jku, {
redirect: 'error' // Reject redirects
});