Skip to main content

Lack of data validation - Token

Description

The generated JWT access token does not validate if the signature is valid so the token can be modified and requests are accepted; even removing the signature from the token works.

Impact

  • Generate tokens by bypassing existing mechanisms.
  • Modify tokens allowing requests to be sent outside the application cycle.

Recommendation

Generate a token with random components without sensitive information and always validate that the integrity of the token is maintained (signature verification, signature).

Threat

Unauthorized attacker with access to a token.

Expected Remediation Time

⌚ 90 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:X/RL:X/RC:X
  • Score:
    • Base: 5.3
    • Temporal: 5.3
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

The application correctly verifies the jwt signature

function verifyToken(req.token, res)=>{
const jwtHeader = JWT.split('.')[0];
const jwtPayload = JWT.split('.')[1];
const jwtSignature = JWT.split('.')[2];

verifyFunction.write(jwtHeader + '.' + jwtPayload);
verifyFunction.end();

const jwtSignatureBase64 = base64.toBase64(jwtSignature);
const signatureIsValid = verifyFunction.verify(PUB_KEY, jwtSignatureBase64, 'base64');

if signatureIsvalid {
//Handle user signing
}else{
res.message("Erroneous credentials");
res.redirect("/users/signin");
}
}

Non compliant code

The application does not verify the jwt signature

function verifyToken(req.token, res)=>{
const jwtHeader = JWT.split('.')[0];
const jwtPayload = JWT.split('.')[1];
const isVerified = verifyFunction.write(jwtHeader + '.' + jwtPayload);

if isVerified {
//Handle user signing
}else{
res.message("Erroneous credentials");
res.redirect("/users/signin");
}
}

Requirements