Jingcheng Yang (Tsinghua University), Enze Wang (Tsinghua University and National University of Defense Technology), Jianjun Chen (Tsinghua University), Qi Wang (Tsinghua University), Yuheng Zhang (Tsinghua University), Haixin Duan (Tsinghua University), Wei Xie (National University of Defense Technology), Baosheng Wang (National University of Defense Technology)

JSON Web Tokens (JWT) have become a widely adopted standard for secure information exchange in modern distributed web applications, particularly for authentication and authorization scenarios. However, JWT implementations have introduced various vulnerabilities, such as signature verification bypass, token spoofing, and denial-of-service attacks. While prior research has reported individual such vulnerabilities, there is a lack of systematic study for JWT implementations.

In this paper, we propose JWTeemo, a novel testing methodology to effectively discover JWT vulnerabilities in JWT implementations. We evaluated JWTeemo against 43 JWT implementations across 10 popular programming languages and discovered 31 previously unknown security vulnerabilities, 20 of which have been assigned CVE numbers. We demonstrated the security impact of these vulnerabilities, such as enabling authentication bypass in Kubernetes and denial-of-service attacks against Apache James. We further categorized these vulnerabilities into five types, and proposed several mitigation strategies. We discussed our mitigation strategies with the IETF, which has acknowledged our findings and suggested that they would adopt our mitigations in a new RFC document. We have also reported those identified vulnerabilities to the affected providers and received acknowledgments and bug bounty rewards from Apache, Connect2id, Kubernetes, Let’s Encrypt, and RedHat.

View More Papers

Lightweight Internet Bandwidth Allocation and Isolation with Fractional Fair...

Marc Wyss (ETH Zurich), Yih-Chun Hu (University of Illinois at Urbana-Champaign), Vincent Lenders (University of Luxembourg), Roland Meier (armasuisse), Adrian Perrig (ETH Zurich)

Read More

UsersFirst in Practice: Evaluating a User-Centric Threat Modeling Taxonomy...

Alexandra Xinran Li (Carnegie Mellon University), Tian Wang (University of Illinois Urbana-Champaign), Yu-Ju Yang (University of Illinois Urbana-Champaign), Miguel Rivera-Lanas (Carnegie Mellon University), Debeshi Ghosh (Carnegie Mellon University), Hana Habib (Carnegie Mellon University), Lorrie Cranor (Carnegie Mellon University), Norman Sadeh (Carnegie Mellon University)

Read More

DNN Latency Sequencing: Extracting DNN Architectures from Intel SGX...

Minkyung Park (University of Texas at Dallas), Zelun Kong (University of Texas at Dallas), Dave (Jing) Tian (Purdue University), Z. Berkay Celik (Purdue University), Chung Hwan Kim (University of Texas at Dallas)

Read More