JWT Authentication Bypass via JWK Header Injection

Description

JWT authentication bypass via JWK header injection is a vulnerability where an attacker injects malicious JSON Web Key (JWK) data into the header of a JWT to manipulate the token's verification process. By doing so, attackers can potentially bypass authentication mechanisms and gain unauthorized access to protected resources. To prevent this vulnerability, developers should validate and sanitize JWT headers properly, use strong encryption and signing algorithms, and implement strict input validation checks to mitigate injection attacks.

Remediation

Validate and sanitize any JWK-related fields within the JWT header before processing. Restrict accepted algorithms to robust, modern signing methods (e.g., RS256, ES256) and disable weaker or 'none' algorithm options. Regularly rotate cryptographic keys and store them securely, ensuring that leaked or guessable keys do not compromise token integrity. Use secure libraries that properly handle JWK parsing and enforce strict checks on the JWT header’s structure. Employ short-lived tokens alongside server-side blacklisting for high-risk actions or when a key compromise is suspected. Finally, conduct periodic security reviews and threat modeling to identify any injection points related to JWT headers or key management.

References

Severity

Owasp

Code: A07:2021

Category: Identification and Authentication Failures

Classification