Security audits found that 95% of JWT tokens were signed but not encrypted

JWT Heartbreaker

Security platform provider Wallarm has released JWT Heartbreaker, a Burp extension designed to find thousands of weak secrets automatically.

Many web applications use JSON Web Token (JWT), a data format with built-in signature and encryption mechanisms, to store user sessions and application context, including authentication by SSO and metadata.

Tokens are generated by the server and sent to the client, which can then certify their identity. They are usually found in authentication bearer HTTP headers for authenticated API calls, and are signed either using a private secret or a public/private key.

However, says Wallarm, it's easy for developers to forget to change the default secrets when the time comes, or to use a weak third-party library. More than 95% of JWT tokens seen by the firm during security audit projects over the last five years have been signed but not encrypted, it says.

‘No limits, restrictions’

“The signature secret is a string with no limits or restrictions implemented by design,” Wallarm said in a blog post unveiling the project on September 2. “As a result, developers often keep it blank, weak, or default.

“There are a lot of copy and paste secrets from public samples, code snippets, Github gists, etc.

“Meanwhile, another problem with JWT signatures is that attackers offline can brute-force secrets by using only the JWT sample, meaning that only string secrets can be used during the JWT implementation.”

Last month, Wallarm completed a project to find as many public JWT secrets as possible, aiming to help developers and DevOps teams identify them through traffic analysis.

It focused on Google search and GitHub dorks by using two main query patterns: ‘jwt example +TECHNOLOGY’, where the TECHNOLOGY is the language itself, such as PHP, Ruby, Rails, or frameworks like ExpressJS, Struts, or Flask; and the Google BigQuery search is based on 3M GitHub projects.

This generated a list of 340 public JWT secrets, which the company made publicly available.

DON’T FORGET TO READ Researchers map threat actors’ use of open source offensive security tools

For the project’s next stage, announced last week, Wallarm has grabbed more than 1,800 additional public JWT secrets from a number of public sources including Google, GitHub, and PasteBin, and has created a Burp extension that can check for them automatically via the vulnerabilities tab.

“JWT heartbreaker will automatically find JWT tokens in all the proxied HTTP requests and check if any weak secrets are compatible with them,” says Wallarm.

The extension is available under the GPL license, which is based on the extension JSON Web Tokens (JWT4B). It can be built from the source code, here.

Wallarm has also submitted JWT heartbreaker to the BApp Store, but warns that the review process may take some time.

The company is promising regular updates to the weak secrets database available to JWT Heartbreaker.

YOU MIGHT ALSO LIKE Black Hat Asia 2020: Android vulnerability scanners tackle code obfuscation and false positives