Description

The scanner detected a missing validation of the 'x5u' parameter in the header of a JSON Web Token (JWT). This parameter specifies the location of the X.509 certificate chain used to verify the token's signature. Without proper validation, an attacker can supply a malicious certificate, potentially allowing the creation of forged JWTs with arbitrary payloads. Attackers might be able to tamper with the values inside the JWT token payload and escalate privileges, impersonate users or trigger unintended application states that were meant to be prevented by the use of a tamper-proof token solution. Additionally they may be able to trigger a blind SSRF attack.

Remediation

In order to fix this vulnerability, you need to implement a whitelist of URLs that are allowed to host a x509 cert file, specified in the 'x5u' header parameter. To make sure it is resilient to validation bypasses, please make sure to validate the full URL and path and disable HTTP redirection for the HTTP library responsible for the token retrieval.

References

Fun With JWT X5u

Related Vulnerabilities

WordPress Plugin Formidable Forms-Contact Form, Survey, Quiz, Calculator & Custom Form Builder Security Bypass (2.0.21)

WordPress Plugin InstaWP Connect-1-click WP Staging & Migration Security Bypass (0.1.0.8)

WordPress Plugin Duplicator-WordPress Migration Security Bypass (0.5.8)

WordPress Plugin Ajax BootModal Login Security Bypass (1.4.3)

Joomla! Core 1.5.x Security Bypass (1.5.0 - 1.5.15)

Severity

High

Classification

CWE-287 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:L/SA:L

Tags

Authentication Bypass Owasp Api Broken Auth Owasp Api Misconfiguration