Non-standard JSON Web Token

owasp:api2:2019-jwt-best-practices

Rule Severity:

High

Ensure endpoints using JWT explicitly declare support for RFC8725 in the description
This rule applies at the API Specification level (OAS/Swagger).
RFC 8725 is the most current best practice of JWT use as published by the Internet Engineering Task Force (https://datatracker.ietf.org/doc/html/rfc8725)
RFC8725 addresses various vulnerabilities and common pitfalls associated with the use of JWTs, and by declaring support for it, developers signal that they are aware of and have mitigated these risks. This not only enhances the trustworthiness of the API but also provides clarity to developers integrating with the API about the security measures in place. RFC8725, titled "Best Current Practices for JSON Web Token (JWT) Security," highlights the importance of using appropriate cryptographic algorithms, avoiding weak keys, and ensuring that tokens are not susceptible to replay attacks. It also emphasizes the need to validate the structure and claims of a JWT before processing it. By following the practices outlined in RFC8725, developers can mitigate potential security risks associated with JWTs and ensure that they are used in a secure and reliable manner.

Example Attack Scenario

Signature Bypass: Weaknesses or flaws in the signature verification process of insecure JWT implementations can be exploited by attackers. They may create tampered or forged JWTs with manipulated signatures, aiming to bypass authentication checks or gain unauthorized access to protected resources.

1. How to Identify with Example Scenario

securitySchemes:    
 authType:     
  # arbitrary name for the security 
  scheme:      
   type: oauth2      
   description: xyz 
   # arbitrary description for the security scheme

1. How to Resolve with Example Scenario

securitySchemes:    
 authType:     
  # arbitrary name for the security 
  scheme:      
   type: oauth2
   description: 
    RFC8725 Compliant JWT

2. How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications
securitySchemes:
 authType:     
  # arbitrary name for the security 
  scheme:      
   type: http      
   bearerFormat: jwt      
   description: xyz 
  # arbitrary description for the security scheme

2. How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
securitySchemes:    
 authType:
  # arbitrary name for the security 
  scheme:      
   type: http
   bearerFormat: jwt      
   description: RFC8725 Compliant JWT
References:

More findings

All Findings