Formula Injection with Jwt Tokens
How Formula Injection Manifests in Jwt Tokens
Formula injection in JWT tokens occurs when malicious formulas or expressions are embedded within token claims, potentially causing unintended behavior when the token is processed by applications. This vulnerability is particularly dangerous because JWT tokens are designed to be compact and self-contained, making them an ideal vector for formula injection attacks.
The most common manifestation involves embedding spreadsheet formulas within JWT claims that are later processed by spreadsheet applications or systems that interpret formulas. For example, a malicious actor might craft a JWT token with a claim containing an Excel formula like =GET.CELL(32, A1) or =HYPERLINK("http://evil.com", "Click here"). When this token is displayed in a spreadsheet application, the formula could execute, potentially exfiltrating data or triggering malicious actions.
Another attack vector involves exploiting JWT processing libraries that mishandle certain characters or structures. Some JWT implementations may not properly validate or escape formula-like content within claims, allowing attackers to inject formulas that execute during token validation or claim extraction. This is particularly problematic in applications that automatically process JWT tokens and display claim contents in contexts where formulas can execute.
Consider this vulnerable JWT token example:
const maliciousToken = jwt.sign({
data: '=IF(R[0]C[0]="admin",TRUE,FALSE)', // Formula injection attempt
exp: Math.floor(Date.now() / 1000) + 60
}, 'secretkey');When this token is processed by an application that displays the data claim in a spreadsheet context, the formula could execute. The risk is amplified when JWT tokens are used for data exchange between systems that don't properly sanitize or validate claim contents.
Formula injection can also manifest through crafted JWT tokens that exploit specific vulnerabilities in JWT libraries or implementations. For instance, some older JWT libraries had issues with certain character sequences that could be interpreted as formula triggers when processed by downstream systems.
Jwt Tokens-Specific Detection
Detecting formula injection in JWT tokens requires a multi-layered approach that examines both the token structure and the claims content. middleBrick's JWT-specific scanning capabilities include several detection mechanisms tailored to identify formula injection attempts.
During scanning, middleBrick analyzes JWT tokens for suspicious patterns within claims, including common formula syntaxes from spreadsheet applications (Excel, Google Sheets, LibreOffice). The scanner looks for patterns like =IF(, =SUM(, =HYPERLINK(, and other formula indicators that could trigger execution in downstream applications.
The detection process also examines the token's payload for potentially dangerous characters and sequences that could be interpreted as formulas. This includes checking for quotation marks, parentheses, and special characters that are commonly used in formula construction. middleBrick's scanner specifically looks for these patterns within JWT claims:
// Formula injection patterns detected by middleBrick
const formulaPatterns = [
/^=IF\(/, // Excel IF formula
/^=SUM\(/, // Excel SUM formula
/^=HYPERLINK\(/, // Excel hyperlink formula
/^=GET\.CELL\(/, // Excel GET.CELL formula
/^=INDIRECT\(/, // Excel INDIRECT formula
/^=OFFSET\(/, // Excel OFFSET formula
/^=CHOOSE\(/, // Excel CHOOSE formula
/^=VLOOKUP\(/, // Excel VLOOKUP formula
/^=HLOOKUP\(/, // Excel HLOOKUP formula
/^=INDEX\(/, // Excel INDEX formula
/^=MATCH\(/, // Excel MATCH formula
/^=CONCATENATE\(/, // Excel CONCATENATE formula
/^=TEXTJOIN\(/, // Excel TEXTJOIN formula
/^=FILTER\(/, // Excel FILTER formula
/^=SORT\(/, // Excel SORT formula
/^=UNIQUE\(/, // Excel UNIQUE formula
/^=SEQUENCE\(/ // Excel SEQUENCE formula
];middleBrick's scanner also performs contextual analysis to identify tokens that might be used in environments where formula execution is possible. This includes checking for claims that contain URLs, file paths, or other data that could be leveraged by formulas for data exfiltration or malicious actions.
The scanner generates a risk score based on the severity of detected formula injection attempts, with findings that include the specific claim containing the suspicious content, the type of formula detected, and recommendations for remediation. For JWT tokens used in spreadsheet-heavy environments, middleBrick provides additional warnings about the potential for formula execution.
Jwt Tokens-Specific Remediation
Remediating formula injection in JWT tokens requires a defense-in-depth approach that combines proper token validation, claim sanitization, and secure processing practices. Here are specific remediation strategies for JWT implementations:
1. Implement Strict Claim Validation: Before processing JWT claims, validate the content to ensure it doesn't contain formula-like patterns. Use regular expressions to detect and reject tokens with suspicious claim contents:
const jwt = require('jsonwebtoken');
function validateJwtClaims(token) {
try {
const decoded = jwt.decode(token, { complete: true });
// Check for formula injection patterns in claims
const dangerousPatterns = [
/^=IF\(/,
/^=SUM\(/,
/^=HYPERLINK\(/,
/^=GET\.CELL\(/,
/^=INDIRECT\(/,
/^=OFFSET\(/,
/^=CHOOSE\(/,
/^=VLOOKUP\(/,
/^=HLOOKUP\(/,
/^=INDEX\(/,
/^=MATCH\(/,
/^=CONCATENATE\(/,
/^=TEXTJOIN\(/,
/^=FILTER\(/,
/^=SORT\(/,
/^=UNIQUE\(/,
/^=SEQUENCE\(/