|
| 1 | +--- |
| 2 | +title: JWT Algorithm Confusion |
| 3 | +description: JWT Algorithm Confusion, also known as HMAC confusion attack, occurs when an attacker tricks a server into verifying a JWT using a symmetric algorithm (like HS256) instead of an asymmetric one (like RS256). |
| 4 | +--- |
| 5 | + |
| 6 | +import { Tabs, TabItem } from '@/components/docs' |
| 7 | + |
| 8 | +<table> |
| 9 | + <tr> |
| 10 | + <th>Severity</th> |
| 11 | + <td>High</td> |
| 12 | + </tr> |
| 13 | + <tr> |
| 14 | + <th>CVEs</th> |
| 15 | + <td> |
| 16 | + <ul> |
| 17 | + <li><a href="https://www.cve.org/CVERecord?id=CVE-2016-5431">CVE-2016-5431</a></li> |
| 18 | + </ul> |
| 19 | + </td> |
| 20 | + </tr> |
| 21 | + <tr> |
| 22 | + <th>Classifications</th> |
| 23 | + <td> |
| 24 | + <ul> |
| 25 | + <li><a href="https://cwe.mitre.org/data/definitions/345.html">CWE-345: Insufficient Verification of Data Authenticity</a></li> |
| 26 | + <li><a href="https://cwe.mitre.org/data/definitions/347.html">CWE-347: Improper Verification of Cryptographic Signature</a></li> |
| 27 | + </ul> |
| 28 | + </td> |
| 29 | + </tr> |
| 30 | + <tr> |
| 31 | + <th>OWASP Category</th> |
| 32 | + <td> |
| 33 | + <a href="https://owasp.org/API-Security/editions/2023/en/0xa2-broken-authentication/">OWASP API2:2023 Broken Authentication</a> |
| 34 | + </td> |
| 35 | + </tr> |
| 36 | +</table> |
| 37 | + |
| 38 | +JWT Algorithm Confusion, also known as HMAC confusion attack, occurs when an attacker tricks a server into verifying a JWT using a symmetric algorithm (like HS256) instead of an asymmetric one (like RS256). This typically happens when a server uses a public key (intended for RS256) as the secret for HS256 verification. |
| 39 | + |
| 40 | +For more details, you can refer to the [jwtop documentation on HMAC Confusion](https://www.cerberauth.com/docs/jwtop/vulnerabilities/hmac-confusion/). |
| 41 | + |
| 42 | +## Example |
| 43 | + |
| 44 | +An application is expected to receive a JWT signed with an asymmetric algorithm like RS256. The server uses a public key to verify the signature. |
| 45 | + |
| 46 | +If the application is vulnerable, an attacker can: |
| 47 | +1. Obtain the public key (which is often public). |
| 48 | +2. Create a new JWT with the algorithm header set to `HS256`. |
| 49 | +3. Sign the JWT using the public key as the HMAC secret. |
| 50 | +4. Send the forged token to the server. |
| 51 | + |
| 52 | +The server, seeing `HS256` in the header, might use its public key as the secret to verify the HMAC signature, and if it doesn't strictly enforce the algorithm, the verification will succeed. |
| 53 | + |
| 54 | +## How to test? |
| 55 | + |
| 56 | +If you want to test only the "JWT Algorithm Confusion" vulnerability, you can use the following command: |
| 57 | + |
| 58 | +<Tabs> |
| 59 | + <TabItem label="cURL"> |
| 60 | +```bash |
| 61 | +vulnapi scan curl [url] -H "Authorization: Bearer [JWT]" --scans jwt.hmac_confusion |
| 62 | +``` |
| 63 | + </TabItem> |
| 64 | + <TabItem label="OpenAPI"> |
| 65 | +```bash |
| 66 | +echo "[JWT]" | vulnapi scan openapi [OpenAPI_Path_Or_URL] --scans jwt.hmac_confusion |
| 67 | +``` |
| 68 | + </TabItem> |
| 69 | + <TabItem label="GraphQL"> |
| 70 | +```bash |
| 71 | +vulnapi scan graphql -H "Authorization: Bearer [JWT]" --scans jwt.hmac_confusion [url] |
| 72 | +``` |
| 73 | + </TabItem> |
| 74 | +</Tabs> |
| 75 | + |
| 76 | +VulnAPI supports scanning against various types of other [vulnerabilities](../) as well. |
| 77 | + |
| 78 | +## What is the impact? |
| 79 | + |
| 80 | +The potential security impacts of JWT Algorithm Confusion are: |
| 81 | + |
| 82 | +- **Full Authentication Bypass**: An attacker can forge tokens for any user, including administrative accounts. |
| 83 | +- **Unauthorized Access**: Gaining access to sensitive data and functionalities. |
| 84 | +- **Account Takeover**: Impersonating any user in the system. |
| 85 | + |
| 86 | +## How to remediate? |
| 87 | + |
| 88 | +- **Strict Algorithm Enforcement**: Always specify the expected algorithm(s) when verifying a JWT. Do not rely on the `alg` header from the token. |
| 89 | +- **Use Secure Libraries**: Use JWT libraries that are not vulnerable to this attack and ensure they are correctly configured. |
| 90 | +- **Separate Keys**: Use different keys for different purposes and ensure that public keys are only used for asymmetric verification. |
0 commit comments