← Back to All Scanners
AuthenticationCritical Severity

JWT Key Injection Scanner

Tests for JWT key injection through jku/x5u header manipulation.

Try This Scanner

What is JWT Key Injection?

JWT Key Injection exploits JWT headers that specify where to fetch the verification key. The jku (JWK Set URL) and x5u (X.509 URL) headers can be manipulated to point to attacker-controlled servers. The vulnerable application fetches the attacker's key and uses it to verify tokens signed by the attacker.

Why is This Important?

This vulnerability provides complete control over authentication. Attackers host their own key, modify the JWT to reference it, sign with their private key, and the server accepts it as valid. It's particularly dangerous because it bypasses all cryptographic protections while appearing to use secure verification.

How It Works

1. Auth Flow Analysis

Maps authentication mechanisms including login, registration, password reset, and session management flows.

2. Security Testing

Tests for authentication bypasses, weak credentials, session flaws, and token vulnerabilities.

3. Access Verification

Validates findings by demonstrating unauthorized access or privilege escalation paths.

Key Capabilities

Comprehensive authentication security testing to protect user accounts and prevent unauthorized access.

  • Complete authentication flow analysis
  • Token and session security validation
  • Password policy and brute-force testing
  • Multi-factor authentication bypass detection
  • OAuth, SAML, and JWT security assessment

Frequently Asked Questions

How does the jku attack work?

1) Attacker creates a key pair, 2) hosts the public key at their URL, 3) modifies a JWT's jku header to point to their server, 4) signs the token with their private key, 5) the server fetches keys from the attacker's URL and validates the forged signature as legitimate.

What variations of key injection exist?

Besides jku and x5u, attackers try: jwk (embedding the key directly in the header), x5c (embedding certificate chain), kid manipulation to select attacker-controlled keys, and combining these with path traversal or SSRF to access internal key stores.

Can URL validation prevent this attack?

Partial validation (like checking the domain starts with trusted.com) can be bypassed with trusted.com.attacker.com. Even allowlists can be vulnerable to open redirects on trusted domains. The safest approach is to never fetch keys based on JWT contents.

How do I prevent JWT key injection?

Never trust key URLs from JWT headers, use static key configuration, if dynamic keys are needed use a strict allowlist of trusted URLs, disable jku/x5u processing in your JWT library, verify the kid matches expected values, and monitor for unusual key fetch patterns.

Related Scanners

JWT None AlgorithmCritical
Learn more →
JWT Algorithm ConfusionCritical
Learn more →
JWT Weak SecretHigh
Learn more →
JWT Expiration BypassHigh
Learn more →

Ready to secure your application?

Start testing for jwt key injection vulnerabilities today.

Get Started Free