Overview

JWT's (Json Web Token) are a common source of Vulnerabilities, both in how they are in implemented in Applications, and in the underlying libraries. As they are used for Authentication, a Vulnerability can easily result in a complete compromise of the Application.

JWT Token:
- HEADER:PAYLOAD:SECRET
- The SECRET is only known to the Server, and is used to make sure that Data wasn't changed along the way. Everything is then `BASE64` encoded. If we are able to control the SECRET we can effectively control the Data.

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJQYXJhZG94IiwiaWF0IjoxNjQ0Mjc4MTM1LCJleHAiOjE2NDQyNzgyNTUsImRhdGEiOnsicGluZ3UiOiJub290cyJ9fQ.E-PuCJEhs2zp5a_NEsL-boVJ_pbtmOIb_t-YFQtcPFs2ysQ-89-91rlapGjn8AYtLegScNx0Lz5QgfCizjZ_SNN8hQc-UVX1mqcI3-1O3FJ_VEtUqsV5Gx9dqD9Sqk8bM1pC8yP9H32HoUASLL_wKpWr8tblV5DAIwlfnXqxiWSNzqahqPIleATyDUXnpaQN6yeCfLFZ_5vNHN0TwhbmuL7PIpjShVBJh5-5Fqgtr-g6SRLPoxPZgxwQNdhs0ZfAlvHBUi99ZOVvDnxQOZ_PJXv_upyGS1UBV9cxXC_UZVh2mBiQ7IlvgWJvHtT3AJ9u16Pytc1lgc6T4kq0BTBuJw

JWT Header:
- We are Interested in the ALG field which RS256 uses. It's a private RSA key that's only available to the Server, that's not Vulnerable. We can change that field to HS256. This is calculated using the Server's Public Key, which in certain circumstances we may have Access too.

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9

{
  "typ": "JWT",
  "alg": "RS256"
}

Public Key

JWT-CRACKER

We can use JWT-CRACKER to Brute-Force JWT SECRET. Alphabet and Max-Length are Optional.

attacker@machine:~$ jwt-cracker "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJ[...].tgE1GJAUwr4I480BIc[...]" abcdefghijklmnopqrstuvwxyz 4

JWT-CRACKER​

JWT-CRACKER