search cancel

Gateway allows JWT tampering by setting algorithm inside JWT header

book

Article ID: 240847

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

Our security testers identified that the "none" algorithm is accepted in the JWT header, meaning that a signature did not have to be provided and verified by the server
This means that a potential attacker can change the JWT payload, which may result in unfavorable actions on the API which is protected by the JWT Token

Steps to reproduce the issue

1- get a token for <domainname>
2- use token.dev to modify the JWT and set the algorithm as none (as below)

initial header 
{
  "typ": "JWT",
  "alg": "RS256"
}

Modified header

{
  "typ": "JWT",
  "alg": "none"
}

3- Use the modified token to invoke the API

 

Cause

Customer was using a custom JWK token

Environment

Release : 10.0

Component : API GATEWAY

Resolution

Detecting JWT TOKEN Tampering

Non-custom tokens (default) detect tampering, this is done with the Decode Json Web Token assertion validating the signature of an id_token.

When using custom TOKEN the Decode JSon Web Token assertion does not pick up tampering.

For this see the docs link for validating Custom id_tokens

https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-3/openid-connect-implementation/generate-and-validate-an-id-token.html