Description

The scanner detected a missing validation of the 'jku' parameter in a JSON Web Token's header. This parameter specifies the location of the JSON web key set (JWKS) used to verify the token's signature. Without proper validation, an attacker can supply a JWKS, potentially allowing the creation of forged JWTs with arbitrary payloads. Attackers might be able to tamper with the values inside the JWT token payload and escalate privileges, impersonate users or trigger unintended application states that were meant to be prevented by the use of a tamper-proof token solution. Additionally they may be able to trigger a blind SSRF attack.

Remediation

In order to fix this vulnerability, you need to implement a whitelist of URLs that are allowed to host a JWKS file, specified in the 'jku' header parameter. To make sure it is resilient to validation bypasses, please make sure to validate the full URL and path and disable HTTP redirection for the HTTP library responsible for the token retrieval.

References

JSON Web Token attacks and vulnerabilities

Related Vulnerabilities

WordPress Plugin NextMove Lite-Thank You Page for WooCommerce Security Bypass (2.17.0)

WordPress Plugin Live Search for WooCommerce Security Bypass (2.0.2)

Joomla! Core 2.5.x Security Bypass (2.5.0 - 2.5.2)

WordPress Plugin Bulk Add to Cart for WooCommerce Security Bypass (1.2.2)

Drupal Core 8.x.x Security Bypass (8.0.0 - 8.6.18)

Severity

High

Classification

CWE-287 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:L/SA:L

Tags

Authentication Bypass Owasp Api Broken Auth Owasp Api Misconfiguration