Xss Cross Site Scripting in Axum with Jwt Tokens
Xss Cross Site Scripting in Axum with Jwt Tokens — how this specific combination creates or exposes the vulnerability
Cross-site scripting (XSS) in an Axum application that uses JWT tokens commonly arises when a server embeds a token value or a claim from a JWT directly into HTML or JavaScript sent to the browser. For example, if an endpoint reads a name or sub claim from a JWT and interpolates it into an HTML response without proper encoding, an attacker who can influence the claim (for instance, via an account name they control during registration or a profile update) can cause the browser to execute script in the context of the authenticated user. Even when endpoints are protected by JWT validation middleware, XSS can still occur if the server treats the token or its claims as trusted data instead than as an identity assertion that should be encoded for HTML context.
In Axum, a typical pattern is to read claims from the request extension after JWT verification and use them to personalize responses. If those claims are rendered into templates or serialized into JSON for client-side scripts without escaping, the application may introduce reflected or stored XSS. Consider a handler that builds a JSON payload including the subject claim and later uses that JSON to populate a JavaScript variable. If the subject contains characters like <script> or an event handler, and the client-side code does additional parsing with eval or innerHTML, execution occurs. Another scenario involves embedding a JWT in a URL fragment or query parameter that is later read by client-side code; if the token or a claim is reflected into the DOM without sanitization, it can become an injection vector.
It is important to note that JWTs themselves are not inherently unsafe; the risk stems from how the data within them is handled in the UI layer. A token signed with a strong algorithm and validated on the server can still lead to XSS when its payload is treated as safe HTML or script content. Therefore, Axum applications must encode all user-influenced data, including claims extracted from JWTs, for the appropriate context (HTML body, attribute, URL, or JavaScript) and apply Content Security Policy defenses to reduce the impact of any accidental injection.
Jwt Tokens-Specific Remediation in Axum — concrete code fixes
To prevent XSS when using JWT tokens in Axum, ensure that any data derived from the token is properly escaped for the output context and that tokens are treated as opaque identifiers rather than trusted HTML sources. Below are concrete examples demonstrating safe handling in Rust with Axum, using the serde, jsonwebtoken, and askama ecosystem.
First, define your claims structure and validate the token without exposing raw claims as executable content:
use axum::extract::Request;
use jsonwebtoken::{decode, Algorithm, DecodingKey, Validation};
use serde::{Deserialize, Serialize};
#[derive(Debug, Serialize, Deserialize)]
struct Claims {
sub: String,
name: String,
exp: usize,
}
async fn validate_token(token: &str) -> Result {
let decoding_key = DecodingKey::from_secret("your-secret".as_ref());
let mut validation = Validation::new(Algorithm::HS256);
validation.validate_exp = true;
let token_data = decode::(token, &decoding_key, &validation)?;
Ok(token_data.claims)
}
Second, when rendering responses, use a template engine that auto-escapes or explicitly escape values. With Askama, mark dynamic values as safe only when you are certain they do not contain user-controlled input:
<!-- templates/user_profile.html -->
<!DOCTYPE html>
<html>
<head><title>Profile</title></head>
<body>
<h1>Hello, {{ name | e }}</h1>
<p>Subject: {{ sub | e }}</p>
</body>
</html>
use axum::extract::Extension;
use askama::Template;
#[derive(Template)]
#[template(path = "user_profile.html")]
struct ProfileTemplate {
name: String,
sub: String,
}
async fn profile_handler(
claims: Extension,
) -> ProfileTemplate {
ProfileTemplate {
name: claims.name.clone(),
sub: claims.sub.clone(),
}
}
If you are returning JSON to a client that will inject values into the DOM, ensure the client uses safe APIs and that the server does not embed executable strings. For example, returning a JSON response with properly typed structures is safe as long as the client avoids innerHTML or eval:
use axum::response::Json;
async fn user_json(claims: Extension<Claims>) -> Json<serde_json::Value> {
let body = json::json!({
"name": claims.name,
"sub": claims.sub,
});
Json(body)
}
Additionally, configure secure cookie attributes for any session tokens and set a strict Content Security Policy header to mitigate the impact of any potential injection:
use axum::response::Response;
use axum::http::HeaderValue;
fn add_security_headers(response: Response) -> Response {
response
.header(
"Content-Security-Policy",
HeaderValue::from_static("default-src 'self'; script-src 'self'"),
)
}
By combining validated JWT usage with context-aware escaping and secure response headers, Axum applications can reduce the risk of XSS while still leveraging the identity information provided by tokens.
Related CWEs: inputValidation
| CWE ID | Name | Severity |
|---|---|---|
| CWE-20 | Improper Input Validation | HIGH |
| CWE-22 | Path Traversal | HIGH |
| CWE-74 | Injection | CRITICAL |
| CWE-77 | Command Injection | CRITICAL |
| CWE-78 | OS Command Injection | CRITICAL |
| CWE-79 | Cross-site Scripting (XSS) | HIGH |
| CWE-89 | SQL Injection | CRITICAL |
| CWE-90 | LDAP Injection | HIGH |
| CWE-91 | XML Injection | HIGH |
| CWE-94 | Code Injection | CRITICAL |