Overview
JWT's
(Json Web Token) are a common source of Vulnerabilities, both in how they are in implemented in Applications, and in the underlying libraries. As they are used for Authentication, a Vulnerability can easily result in a complete compromise of the Application.
-
JWT Token:
- HEADER: PAYLOAD: SECRET
- The SECRET is only known to the Server, and is used to make sure that Data wasn't changed along the way. Everything is then
BASE64
encoded. If we are able to control the SECRET we can effectively control the Data.
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJQYXJhZG94IiwiaWF0IjoxNjQ0Mjc4MTM1LCJleHAiOjE2NDQyNzgyNTUsImRhdGEiOnsicGluZ3UiOiJub290cyJ9fQ.E-PuCJEhs2zp5a_NEsL-boVJ_pbtmOIb_t-YFQtcPFs2ysQ-89-91rlapGjn8AYtLegScNx0Lz5QgfCizjZ_SNN8hQc-UVX1mqcI3-1O3FJ_VEtUqsV5Gx9dqD9Sqk8bM1pC8yP9H32HoUASLL_wKpWr8tblV5DAIwlfnXqxiWSNzqahqPIleATyDUXnpaQN6yeCfLFZ_5vNHN0TwhbmuL7PIpjShVBJh5-5Fqgtr-g6SRLPoxPZgxwQNdhs0ZfAlvHBUi99ZOVvDnxQOZ_PJXv_upyGS1UBV9cxXC_UZVh2mBiQ7IlvgWJvHtT3AJ9u16Pytc1lgc6T4kq0BTBuJw
-
JWT Header:
- We are Interested in the ALG field which RS256 uses. It's a private RSA key that's only available to the Server, that's not Vulnerable. We can change that field to
HS256
. This is calculated using the Server's Public Key, which in certain circumstances we may have Access too.
- We are Interested in the ALG field which RS256 uses. It's a private RSA key that's only available to the Server, that's not Vulnerable. We can change that field to
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9
{
"typ": "JWT",
"alg": "RS256"
}
- Public Key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqi8TnuQBGXOGx/Lfn4JF
NYOH2V1qemfs83stWc1ZBQFCQAZmUr/sgbPypYzy229pFl6bGeqpiRHrSufHug7c
1LCyalyUEP+OzeqbEhSSuUss/XyfzybIusbqIDEQJ+Yex3CdgwC/hAF3xptV/2t+
H6y0Gdh1weVKRM8+QaeWUxMGOgzJYAlUcRAP5dRkEOUtSKHBFOFhEwNBXrfLd76f
ZXPNgyN0TzNLQjPQOy/tJ/VFq8CQGE4/K5ElRSDlj4kswxonWXYAUVxnqRN1LGHw
2G5QRE2D13sKHCC8ZrZXJzj67Hrq5h2SADKzVzhA8AW3WZlPLrlFT3t1+iZ6m+aF
KwIDAQAB
-----END PUBLIC KEY-----
JWT-CRACKER
We can use JWT-CRACKER
to Brute-Force JWT SECRET. Alphabet and Max-Length are Optional.
attacker@machine:~$ jwt-cracker "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJ[...].tgE1GJAUwr4I480BIc[...]" abcdefghijklmnopqrstuvwxyz 4