Using JWT with Eyes Open - Risks of Blindly Using a Third-Party Package
By Idego Group
JSON Web Token is a standard defined in RFC 7519 for secure data transfer between services. It provides data integrity, allowing a service to verify that a token has not been tampered with during transmission. Web developers often outsource JWT implementation to third-party packages, assuming they are correct and secure. However, blindly trusting these packages can have serious security consequences.
A JWT consists of three base64-encoded elements separated by dots: header, payload, and signature. The header specifies the token type and the algorithm used to create the signature. The payload contains the functional data, such as user identification. The signature guarantees data integrity by signing the encoded header and payload with a private key.
RFC 7519 permits none as a value for the alg header parameter, intended for cases where data security is provided through other means. However, poorly implemented JWT packages may either return a 500 error or completely bypass signature verification when encountering this value. This could allow attackers to send unsigned tokens and receive sensitive data without any verification.
A critical vulnerability can arise when clients can specify HS256 as the algorithm while signing with the server's public key. Improperly configured systems might verify using HMAC with that same public key, completely circumventing the intended security. An attacker can forge tokens by signing with a publicly available key while claiming to use a symmetric algorithm.
Base64 decoding alone does not verify a token's authenticity. Merely decoding the header and payload data does not confirm the token came from the claimed source or has not been modified. A common mistake involves using only decoding functions rather than verification functions that check the cryptographic signature.
Security packages are only as trustworthy as their implementations. While third-party solutions are generally appropriate, developers should thoroughly understand how they work. Keep packages updated, monitor for vulnerabilities, and upgrade promptly when issues are found.