Skip to main content

JWT JSON Web Token

JSON Web Tokens (JWTs) are a compact, URL-safe means of representing claims to be transferred between two parties. They are commonly used for authentication and authorization in web applications, allowing users to securely access resources. Exposure of a JWT can lead to unauthorized access to sensitive data and services, as it may allow an attacker to impersonate a legitimate user or service.

How Does It Look

JWTs can appear in various contexts, such as:

  • Environment variables:

    export JWT_TOKEN="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

  • Configuration files (JSON, YAML, .env):

    {
      "jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
    }

  • Code snippets:

    const token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...";

  • Connection strings:

    Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

Severity

  • 🟠 High

JWTs often grant access to sensitive resources and services. If compromised, an attacker can impersonate a user or service, potentially accessing or modifying sensitive data. The blast radius depends on the permissions associated with the token and the scope of its access.

What Can an Attacker Do?

With immediate access to a JWT, an attacker can impersonate the token's owner, gaining unauthorized access to services and data.

Key actions an attacker can perform:

  • Access protected resources (if the token has read permissions)
  • Modify or delete data (if the token includes write permissions)
  • Access user-specific information (if the token is tied to user identity)
  • Perform actions on behalf of the user (depending on the token's scope)

An attacker could potentially escalate privileges by exploiting other vulnerabilities in the system or move laterally to access additional resources if the token is not properly scoped or validated.

Real-World Impact

Exposure of a JWT poses significant business risks, including unauthorized access and data breaches.

Potential consequences include:

  • Data Exposure: Sensitive user data or application data (if the token has read access to sensitive data)
  • Financial Loss: Unauthorized transactions or resource usage (if the token allows financial operations)
  • Operational Disruption: Service outages or data corruption (if the attacker has modify permissions)
  • Reputational Damage: Loss of customer trust and brand value

In worst-case scenarios, attackers could leverage the token to gain further access to the network, leading to widespread data breaches and operational failures.

Prerequisites for Exploitation

  • Network access requirements: Ability to intercept or access the token
  • Additional context needed: Knowledge of endpoints or services the token grants access to
  • Rate limits or restrictions: Limited by token expiration and potential IP restrictions

How to Verify If It's Active

To verify if a JWT is active, you can use the following command:

curl -X GET "https://api.example.com/resource" -H "Authorization: Bearer [TOKEN]"

Valid credential response:

  • Successful access to the resource, typically with a 200 OK status and expected data.

Invalid/expired credential response:

  • Error response, such as a 401 Unauthorized status, indicating the token is invalid or expired.

Detection Patterns

Common Variable Names:

  • JWT_TOKEN
  • AUTH_TOKEN
  • ACCESS_TOKEN
  • BEARER_TOKEN
  • SESSION_TOKEN
  • API_TOKEN

File Locations:

  • config.json
  • .env
  • settings.yaml
  • credentials.json
  • app.config

Regex Pattern:

eyJ[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+

Remediation Steps

  1. Revoke immediately - Invalidate the JWT by updating the server-side token blacklist or changing the signing key.
  2. Audit access logs - Review server logs for unauthorized access attempts using the compromised token.
  3. Assess blast radius - Identify all services and resources accessed using the exposed JWT.
  4. Rotate credential - Issue a new JWT with updated claims and permissions.
  5. Update dependent systems - Ensure all applications and services use the new JWT securely.
  6. Harden access controls - Implement stricter token validation and expiration policies.
  7. Implement secrets management - Store JWTs securely using a secrets manager to prevent exposure.
  8. Add detection controls - Use automated tools to scan for exposed tokens in code repositories and logs.

Credential exposures often go undetected for extended periods, increasing the window for exploitation. As a long-term strategy, plan to establish an internal process or engage an external vendor for continuous external exposure monitoring. This helps identify leaked secrets across public repositories, paste sites, dark web forums, and other external sources before attackers can leverage them. Proactive detection and rapid response are essential to minimizing the impact of credential leaks.

References