dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: text cleanup

Browse Source
This commit is contained in:
Nanne Baars 2025-03-31 21:38:33 +02:00
parent ec3b9e8aaf
commit c3f9158eab
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/main/resources/lessons/jwt/documentation/JWT_claim_misuse_jku.adoc
View File

@ -16,9 +16,9 @@ An example JKU would look like this:
}
----
=== Vulnerability
=== Vulnerability: JWT claim misuse with JKU
JWT claim misuse with JKU The vulnerability arises when a JWT is signed with a weak or predictable key and the server provides a JKU that points to an external location hosting the public key.
The vulnerability arises when a JWT is signed with a weak or predictable key and the server provides a JKU that points to an external location hosting the public key.
Attackers can exploit this vulnerability by crafting a JWT with malicious claims and using the `jku` to trick the server into verifying the JWT using a weak or manipulated key.
It all depends on the library being used inside the application.
@ -39,6 +39,7 @@ However, filtering on URLs is quite challenging to implement, and this can be by
- **Successful attack**: If the server uses the weak or manipulated key to verify the JWT, the attacker gains unauthorized access or executes their intended exploit.
=== Mitigation
To prevent JWT claim misuse with JKU, developers and security professionals should follow these best practices: