search
githubEdit

JSON Web Tokens JWT Penetration Testing

hashtag
Tools: Burpsuite, cURL, https://jwt.io/ (JWT Decoder and editor), Cyberchef https://gchq.github.io/CyberChef/ (Encode/Decode values), https://github.com/ticarpi/jwt_tool (Automation tool to check for vulnerable JWT Tokens)

hashtag
Attacks:

hashtag
1) Sensitive Information Disclosure

hashtag
Authenticate with a user and grab the JWT token from that user

curl -H 'Content-Type: application/json' -X POST -d '{ "username" : "user", "password" : "password1" }' http://10.10.190.243/api/v1.0/example1

hashtag
Go to jwt.io to decode the token and check the values inside the claim portion of the token. We may find sensitive information like internal resources, etc.

hashtag
2) Signature is not verified

hashtag
Grab the JWT token

curl -H 'Content-Type: application/json' -X POST -d '{ "username" : "user", "password" : "password1" }' http://10.10.190.243/api/v1.0/example1

hashtag
Authenticate with the JWT token

curl -H 'Authorization: Bearer JWT_TOKEN' http://10.10.190.243/api/v1.0/example2?username=user

hashtag
Go to jwt.io and try to verify the user WITHOUT the signature by removing the signature part leaving ONLY the dot (.).

hashtag
Try to authenticate with the SIGNATURELESS token again to check if you can verify the user even without the signature.

hashtag
Modify any values we may find in the token. Example:

hashtag
Change the admin value from 0 to 1, then verify as admin with the newly modified JWT token.

hashtag
3) Signature algorithm downgrade to NONE

hashtag
Grab the JWT Token

hashtag
Authenticate with the JWT Token

hashtag
Go to jwt.io to modify the values inside the claim portion of the token: Admin from 0 to 1 for example.

hashtag
If the response of the server contains: "Signature verification failed" we can go for the downgrade attack to None algorithm.

hashtag
Go to cyberchef, then take the HEADER part of the JWT token and use the JWT decode recipe to get the plain text of the JWT header.

hashtag
Grab the plain text JWT header, change the Alg to None and encode it with base64.

hashtag
After this, put the base64 encoded header we just made at the BEGINNING of our modified JWT token to replace the previous header with the None algorithm. REMOVE THE EQUAL SIGN FROM THE BASE64 HEADER TO NOT GET ANY COMPLAINTS FROM THE SERVER RESPONSE!

hashtag
4) Weak Symmetric Secrets

hashtag
Grab JWT Token

hashtag
Save the retrieved JWT in a text file

hashtag
Download a wordlist for JWT secrets

hashtag
Use hashcat to crack the secret of the JWT token so that we can forge our own JWT token to gain access

hashtag
Then go to jwt.io and do the following:

hashtag
Add the secret we just cracked down to the signature part where it tells us to enter our secret we just discovered.

hashtag
Then, modify any values we may find to gain admin access. Example: admin from 0 to 1.

hashtag
Then use this newly forged JWT token to authenticate:

hashtag
5) Signature Algorithm Confusion

hashtag
Grab the JWT Token with the public key in this example

hashtag
Go to jwt.io to make the changes or use the script provided from THM that we are going to use. Script will be located in scripts folder in here.

hashtag
Add the public key to the script and make the modifications: admin from 0 to 1 for example.

hashtag
Before running the script, edit the file /usr/lib/python3/dist-packages/jwt/algorithms.py and comment out the specific code snippet:

hashtag
Run the script to generate our forged JWT token

hashtag
Gain access with our modified JWT token

hashtag
6) JWT Token Lifetimes

hashtag
If a token does not have an 'exp' value set inside its claim portion of the token, this means that the token NEVER EXPIRES!

hashtag
Also, check for the 'exp' value of a JWT if it is too short or long to verify it's lifespan.

PreviousAuth Tokens BypassNextMulti-Factor Authentication Bypass Methods

Last updated