JWT validation in URL

Hi everyone, I have some questions related with JWT:

Background:
A system generates some payment links (amount, description, email, etc). They use JWT in the URL this way: https://some-site.com/pay?token=Jwt TOKEN.

As far as I know, JWT has 3 parts: HEADER, PAYLOAD, SIGNATURE

The purpose of these is to validate the integrity of the message.
image

If the message JWT token is not properly generated (the signature does not match)
can we say that JWT is not properly implemented?

Further more, If I can change the message (PAYLOAD) to any other value, and the platform does not generate any warning about the JWT INTEGRITY can we say that is not secure?

To report this finding, should I use FIN.S.0078. Insecure token generation?

Thank you.

First of all, jwt.io gives you “Invalid Signature” because you didn’t provided any (this should be a secret key on the client’s code) and if you don’t it will return that. The token generation could be insecure if that secret key for validation is an insecure one.

Then about the web service, if you modify the JWT token and the web service accept it then the finding is FIN.S.0055. Insecure service configuration or CAPEC-39: Manipulating Opaque Client-based Data Tokens because the application is only reading the base64 payload and accepting it without validation.

If that happens and the server is using the header Authorization: Bearer JWT you should check that too because you can impersonate other users with this.

1 Like

For verifying the signature in jwt.io or with any JWT package you need to know the correct secret, that’s why it says ‘invalid signature’ because you have not entered a valid signature there, you just left the default ‘your-256-bit-secret’ as secret

Now, if they do not verify the signature before trusting the token, then yes, there is a security hole

1 Like

indeed, they are NOT validating the signature, before trusting the token.