Request Smuggling with Jwt Tokens

Request smuggling in JWT tokens occurs when an attacker manipulates the boundary between HTTP requests to inject malicious payloads that bypass authentication or authorization checks. In JWT contexts, this typically manifests when token parsing and validation occur after request body parsing, creating a window where malformed requests can slip through.

The most common JWT smuggling pattern involves exploiting Content-Length vs Transfer-Encoding headers. An attacker sends:

POST /api/protected HTTP/1.1
Host: example.com
Content-Length: 10
Transfer-Encoding: chunked

0

GET /api/admin HTTP/1.1
Host: example.com
Authorization: Bearer [VALID_JWT]
Content-Type: application/json

{ "steal": "data" }

Here, the front-end server sees Content-Length: 10 and reads only the first chunk, while the back-end sees Transfer-Encoding: chunked and processes the entire payload. The second HTTP request gets smuggled through with a valid JWT token.

Another JWT-specific smuggling variant targets the JWT parsing itself. When JWT libraries use non-standard header parsing or when applications implement custom token validation, attackers can craft tokens that exploit parsing ambiguities:

Authorization: Bearer eyJhbGci=HS256.eyJ.sub=attacker.ey.payload=eyJ.exp=1234567890.ey.data=ey.admin=true.ey.id=123.ey.role=user

This malformed token contains multiple JWT structures. Depending on the parsing implementation, different segments might be validated, potentially granting elevated privileges if the parser stops at the first valid segment it encounters.

Web frameworks that don't properly handle streaming JWT validation are particularly vulnerable. When a JWT is validated after the request body is fully read, an attacker can inject additional requests in the body that the JWT middleware never sees:

POST /api/upload HTTP/1.1
Content-Type: application/json
Authorization: Bearer eyJhbGci=HS256.eyJ.sub=victim.ey.role=user.ey.exp=1234567890
Content-Length: 999

{ "file": "malicious.jpg" }
GET /api/admin HTTP/1.1
Host: example.com
Authorization: Bearer eyJhbGci=HS256.eyJ.sub=attacker.ey.role=admin.ey.exp=1234567890

The upload endpoint processes the first request, but the second request with admin privileges is smuggled through to another endpoint that might be exposed to the same connection pool.

Detecting request smuggling in JWT contexts requires testing both the HTTP layer and the JWT parsing layer. The most effective approach combines automated scanning with manual verification of boundary conditions.

middleBrick's JWT-specific smuggling detection tests for:

• Content-Length vs Transfer-Encoding conflicts when JWT tokens are present
• Malformed JWT structures that could exploit parser ambiguities
• Timing-based smuggling where JWT validation occurs after request body processing
• Header injection attacks that could manipulate JWT parsing contexts

The scanner sends crafted requests that test these boundaries and analyzes the responses for signs of successful smuggling. For example, it might send:

POST /api/data HTTP/1.1
Host: target.com
Content-Length: 5
Transfer-Encoding: chunked
Authorization: Bearer eyJhbGci=HS256.eyJ.sub=test.ey.exp=1234567890

12345
GET /api/sensitive HTTP/1.1
Host: target.com
Authorization: Bearer eyJhbGci=HS256.eyJ.sub=attacker.ey.role=admin.ey.exp=1234567890

0

If the second request is processed, middleBrick flags this as a potential smuggling vulnerability and provides the exact payload that triggered it.

Manual detection should focus on the JWT validation sequence. Use tools like Burp Suite or curl to test:

curl -X POST https://api.example.com/endpoint \
  -H "Authorization: Bearer eyJhbGci=HS256.eyJ.sub=user.ey.exp=1234567890" \
  -H "Content-Type: application/json" \
  -H "Content-Length: 10" \
  -H "Transfer-Encoding: chunked" \
  -d '{"data":"test"}'

Watch for inconsistent responses or unexpected behavior when varying the header combinations. Pay special attention to endpoints that process JWT tokens after reading the request body.

Code review for JWT smuggling vulnerabilities should examine:

• Whether JWT validation occurs before or after request body parsing
• How the application handles malformed JWT tokens
• Whether streaming JWT validation is implemented
• How the framework handles Content-Length vs Transfer-Encoding conflicts

Look for patterns where JWT middleware is applied after body parsers, which creates the window for smuggling attacks.

Remediating JWT request smuggling requires both HTTP layer hardening and JWT-specific validation improvements. The most effective approach combines strict header validation with robust JWT parsing.

HTTP layer fixes:

// Reject requests with both Content-Length and Transfer-Encoding headers
app.use((req, res, next) => {
  if (req.headers['content-length'] && req.headers['transfer-encoding']) {
    return res.status(400).json({ error: 'Conflicting transfer encodings' });
  }
  next();
});

This prevents the classic smuggling vector by rejecting requests that could confuse parsers. For frameworks that allow it, disable Transfer-Encoding entirely:

// Express.js example
app.enable('strict-routing');
app.disable('x-powered-by');
app.set('trust proxy', false);

JWT-specific validation improvements:

const jwt = require('jsonwebtoken');

// Validate JWT before any body parsing occurs
app.use('/api', (req, res, next) => {
  const authHeader = req.headers.authorization;
  if (!authHeader || !authHeader.startsWith('Bearer ')) {
    return res.status(401).json({ error: 'Missing or malformed token' });
  }
  
  const token = authHeader.substring(7);
  
  // Validate token structure before parsing
  if (!isValidJwtStructure(token)) {
    return res.status(401).json({ error: 'Invalid token structure' });
  }
  
  jwt.verify(token, process.env.JWT_SECRET, (err, decoded) => {
    if (err) {
      return res.status(401).json({ error: 'Invalid token' });
    }
    req.user = decoded;
    next();
  });
});

The key is validating the JWT before any request body processing occurs. This prevents smuggling attacks where malicious payloads could be injected after the JWT is validated.

For streaming JWT validation (recommended for high-security applications):

const jwtStream = require('jwt-stream');

function validateJwtStream(req, res, next) {
  const authHeader = req.headers.authorization;
    return res.status(401).json({ error: 'Missing token' });
  }
  
  const token = authHeader.substring(7);
  
  const parser = jwtStream.createParser();
 {
    if (!header || !header.alg) {
      return res.status(401).json({ error: 'Invalid token header' });
    }
  });
  
  parser.on('payload', (payload) => {
    if (!payload.sub || !payload.exp) {
      return res.status(401).json({ error: 'Invalid token payload' });
    }
  });
  
  parser.write(token);
  // If we get here without errors, token is valid
}

This streaming approach validates the JWT token as it's received, preventing any smuggling attacks that rely on manipulating the request body after token validation.

Additional hardening measures:

// Use helmet.js to set security headers
const helmet = require('helmet');
app.use(helmet({
  hsts: true,
  contentSecurityPolicy: {
    directives: {
      defaultSrc: ["'self'"],
      scriptSrc: ["'self'"],
      styleSrc: ["'self'"],
    },
  },
}));

These headers help prevent various HTTP-based attacks that could be combined with JWT smuggling attempts.