JWT Expiration Time

Description

This vulnerability occurs when the system generating or validating JWTs does not properly check the expiration time, allowing an attacker to extend the validity of a JWT beyond its intended timeframe. This can happen due to various reasons such as incorrect server configurations, improper token validation logic, or even server time synchronization issues. Exploiting this vulnerability, an attacker could use a JWT even after its expiration, gaining unauthorized access to protected resources or functionalities. For instance, if a JWT is issued with a short expiration time, but the server fails to properly enforce this time limit during validation, an attacker could continue using the token indefinitely. To mitigate this vulnerability, developers should ensure that JWT expiration times are strictly enforced during validation. This involves accurately checking the expiration claim (exp) within the JWT payload and rejecting tokens that have expired. Additionally, it's essential to regularly review and update server configurations, validate input data thoroughly, and follow security best practices to reduce the risk of such vulnerabilities.

Remediation

Enforce strict checks on the JWT expiration (exp) claim when validating tokens. Configure your backend services or libraries to reject any token whose exp time has passed. Use a secure time source to mitigate clock drift issues and ensure correct expiration calculations. Consider rotating or invalidating tokens on critical state changes, such as password resets. Implement server-side blacklisting or an allowlist for token revocation if practical. Conduct periodic reviews of JWT handling logic, ensuring that short-lived tokens align with security requirements and that no alternative code paths bypass the expiration check.

References

Severity

Owasp

Code: A07:2021

Category: Identification and Authentication Failures

Classification