Jingcheng Yang (Tsinghua University), Enze Wang (National University of Defense Technology & Tsinghua University), Jianjun Chen (Tsinghua University), Qi Wang (Tsinghua University), Yuheng Zhang (Tsinghua University), Haixin Duan (Quancheng Lab,Tsinghua University), Wei Xie (College of Computer, National University of Defense Technology), Baosheng Wang (National University of Defense Technology)
JSON Web Tokens (JWT) have become a widely adopted standard for secure information exchange in modern distributed web applications, particularly for authentication and authorization scenarios. However, JWT implementations have introduced various vulnerabilities, such as signature verification bypass, token spoofing, and denial-of-service attacks. While prior research has reported individual such vulnerabilities, there is a lack of systematic study for JWT implementations.
In this paper, we propose JWTFuzz, a novel testing methodology to effectively discover JWT vulnerabilities in JWT implementations. We evaluated JWTFuzz against 43 JWT implementations across 10 popular programming languages and discovered 31 previously unknown security vulnerabilities, 20 of which have been assigned CVE numbers. We demonstrated the security impact of these vulnerabilities, such as enabling authentication bypass in Kubernetes and denial-of-service attacks against Apache James. We further categorized these vulnerabilities into five types, and proposed several mitigation strategies. We discussed our mitigation strategies with the IETF, which has acknowledged our findings and suggested that they would adopt our mitigations in a new RFC document. We have also reported those identified vulnerabilities to the affected providers and received acknowledgments and bug bounty rewards from Apache, Connect2id, Kubernetes, Let's Encrypt, and RedHat.