Gateway allows JWT tampering by setting algorithm inside JWT header
search cancel

Gateway allows JWT tampering by setting algorithm inside JWT header

book

Article ID: 240847

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

Our security testers identified that the "none" algorithm is accepted in the JWT header, meaning that a signature did not have to be provided and verified by the server
This means that a potential attacker can change the JWT payload, which may result in unfavorable actions on the API which is protected by the JWT Token

Steps to reproduce the issue

1- get a token for <domainname>
2- use token.dev to modify the JWT and set the algorithm as none (as below)

initial header 
{
  "typ": "JWT",
  "alg": "RS256"
}

Modified header

{
  "typ": "JWT",
  "alg": "none"
}

3- Use the modified token to invoke the API

 

Environment

API Gateway OAuth Toolkit

Cause

Customer was using a custom JWK token

Resolution

Detecting JWT TOKEN Tampering

Non-custom tokens (default) detect tampering, this is done with the Decode Json Web Token assertion validating the signature of an id_token.

When using custom TOKEN the Decode JSon Web Token assertion does not pick up tampering.

For this see the docs link for validating Custom id_tokens

Generate and Validate an ID Token

 

 

Powered by Wolken Software