Skip to content

JWT Invalid Signature Analyzer

Configuration Name: JWTInvalidSignature

Description

The JWTInvalidSignature analyzer checks whether an application accepts a JSON Web Token (JWT) that has an invalid signature.

For each request in the sequence walk, a modified version of the JWT with an invalid signature is generated. If the application accepts the request and returns a 2xx (success) or 5xx (server error) response, a finding is reported.

Faults Reported

The JWTInvalidSignature analyzer reports two types of findings based on the response from the application:

Fault Identifier Title Summary Solution Severity
CWE-347 JWT with invalid signature accepted A request succeeded with a JWT that has an invalid signature, indicating the application does not validate JWT signatures. This allows attackers to forge JWTs with arbitrary claims. Applications must enforce JWT signature validation and reject tokens with an invalid signature. High
CWE-347 JWT with invalid signature caused service exception A request with a JWT containing an invalid signature resulted in a service exception. The application is expected to return a 4xx client error for an invalid JWT but instead encountered an internal error. Applications must enforce JWT signature validation and return a client error (e.g., 401 Unauthorized) for invalid JWTs. Medium

Rule Evaluation

The JWTInvalidSignature analyzer is executed on every API operation in the sequence walk. It modifies the JWT by replacing the signature with an invalid value and sends the request. If the application does not properly validate the JWT signature, a finding is reported.

  • If the response is 2xx, the application incorrectly accepts the token.
  • If the response is 5xx, the application fails with a server error, indicating improper handling of invalid JWTs.

Remediation Steps

To mitigate the security risks associated with accepting JWTs with an invalid signature, implement the following remediation steps:

  1. Enforce Signature Validation

    • Ensure that all JWTs are validated against a known trusted signature before accepting them.
    • Use strict verification settings to reject JWTs with invalid or missing signatures.

  2. Reject Invalid JWTs

    • Implement strict JWT verification logic that explicitly disallows tokens with incorrect signatures.
    • Configure JWT libraries and authentication middleware to require a valid signature for every JWT.

  3. Enhance Server Response Handling

    • Ensure the application responds with a 4xx (client error) when an invalid JWT is provided.
    • Avoid server crashes or unhandled exceptions by properly handling JWT parsing errors.

  4. Perform Security Testing

    • Regularly test authentication mechanisms for JWT signature validation issues.
    • Conduct security audits and penetration tests to ensure that invalid JWTs are correctly rejected.

  5. Monitor and Log JWT Usage

    • Log all authentication-related failures, including invalid JWT attempts.
    • Set up monitoring and alerting for repeated invalid JWT attempts, which may indicate an attack.