QID 150572: JWT in Authorization Header Uses Symmetric Algorithm. The lack of a signature will allow an attacker to easily modify a token to set arbitrary claims such as elevating privileges or impersonating another user. This is the weakest “algorithm” as there isn’t a signature to validate the token. The QID will detect tokens using the “none” algorithm. QID 150571: JWT in Authorization Header Uses “none” Algorithm. The QIDs are passive checks that will decode the token and review the contents. Qualys WAS is introducing two new QIDs to detect algorithms in JWTs found in Authorization headers. Let’s look at an example taken from the Tiredful API ( ):Į-7vwGjTn8aaVOEodtS9u683-LJ6m8NdRAuAmiIik Token = base64urlEncoding(header) + ‘.’ + base64urlEncoding(payload) + ‘.’ + base64urlEncoding(signature)Īs the portions of the token are base64 encoded, it is trivial to decode and view the contents. An operation is performed on two previous parts with the addition of a secret or private key.Įach of these sections is combined into a single token using the following: Signature – Section is used to validate the token. Payload: Section contains the information about the user referred to as Claims. May include additional fields such as Key ID (kid). The most common algorithms seen are HMAC with SHA-256 (HS256), a symmetric algorithm, and RSA with SHA-256, an asymmetric algorithm. Header – Section contains the type of token and the algorithm in use. Qualys Web Application Scanning (WAS) will now detect vulnerabilities related to algorithms used in JWTs. JWTs must be designed and implemented securely, or issues will be present. Although there is some debate about them as session tokens ( ) they are still used in that capacity as well. It is a stateless mechanism, and the token is sent with every request requiring identification, typically in the Authorization header or as a URL parameter. These encoded claims are used to provide identification of the requester and other information related to accessing. JSON Web Tokens, or JWTs, are an encoded set of claims commonly seen in REST APIs and Single page web applications (SPAs).
0 Comments
Leave a Reply. |