JWT Common Attacks
What Is JWT š¤?
JSON Web Tokens (JWT) is used for authorization of the logged in users, so after the user loges in sometimes the web-server needs to check if this user is authorized (has access) to this particular system/information.
JWT Doesnāt use the good old cookies and sessions in authorization, instead it utilizes JSON web tokens
JWT Structure
JWT consists of 3 main parts:
- Header
- The Header is the top most part of the JWT token and it specifies which algorithm will be used in the signature part to generate the signature (more on that in signature)
Algorithm could be one of the following: None (no encoding), HS256,RS256.
2. Payload
This is the main message in the token which contains the important info about the user/organization that will be authorized or not.
One of the static field of the payload is āiatā which is the time-stamp of the generated JWT, other payload elements varies according to the web application in use.{
"sub": "1234567890",
"name": "John Doe",
"admin": true
}
3. Signature
This part is the core focus to us as pentesters as it contains basically all the previous message but encoded to ensure confidentiality
the signature consists of the following concatenated:
1. Header in base64 format.
2. Payload in base64 format.
3. Secret key to generate the Signature (according to the algorithm stated in the Header) and sometimes it is 2 keys (private+public) for assymetric algorithms like the RS256).
Probably you are now scratching your head wondering what type of attacks could be with a strong asymmetric algorithm like the RS256, but the in fact we have many workarounds to bypass the signature part.
We will explain the top 4 attacks could be conducted with JWTs.
1. RSA to HMAC Attack
As we mentioned we have two major encryption algorithms, the RS256 and the HS256 and of course we all know that the RS256 is asymmetric therefore way too harder to crack as it uses private/public key combination.
- Refer to this link to know more about RSA vs HMAC: https://connect2id.com/products/nimbus-jose-jwt/algorithm-selection-guide
- Intercept the request using (Burpsuite) or any proxy you are familiar with and send it to repeater to alter the request.
- First step is to change the Header algorithm from āRS256" to āHS256".
- Get the public key of the website (which can be found in their certificate or leaked on the internet) you could look for directories like .well-known or common directories or jks.json file
also refer to this amazing website: https://connect2id.com/products/nimbus-jose-jwt/examples/jwk-retrieval - after saving the public key we need to generate a new signature with the same key (public key) because remember now we are using HS256 and it uses the same key for signing/encryption.
- To generate new signature refer to the following code snippet:
import hashlib
import base64
import hmacfile=open('key.pem')
key = file.read()
#Change Header and payload to the one you intercepted and alter it#
header = '{"alg":"HS256",
"typ": "jwt"}'
payload = '{
"sub": "1234567890",
"name": "John Doe",
"admin": true
}'
#encoding Header
encodedHBytes = base64.urlsafe_b64encode(header.encode("utf-8"))
encodedHeader = str(encodedHBytes, "utf-8").rstrip("=")
#Encoding payload
encodedPBytes = base64.urlsafe_b64encode(payload.encode("utf-8"))
encodedPayload = str(encodedPBytes, "utf-8").rstrip("=")
complete_jwt = (encodedHeader + "." + encodedPayload)
#Creating the whole Signature#try:
signature = base64.urlsafe_b64encode(hmac.new(bytes(key, "UTF-8"),complete_jwt.encode('utf-8'),hashlib.sha256).digest()).decode('UTF-8').rstrip("=")
print(complete_jwt + "." + signature)
- Change the Signature to the one you just generated and send the altered request using burp and hope for the best.
__ Disclaimer: This method only works if the backend server has a RS-HS vulnerability that allows for altering the algorithm and as famous as this attack is, it works only with few websites now š¢.
2. Invalid Signature Attack
This attack is way easier than the first one, you just Intercept the message, send it to the repeater, and guess what remove the whole signature and hope for the best.
* This kind of attack is a high severity security misconfiguration and it can usually be found in small/medium organization with poor security practices only.
3. None Algorithm Attack
This type of attack is very similar to the first and the second ones.
- you intercept the message and alter the Header this time by changing the āalgorithmā value to ānoneā and change the payload to whatever you want (you can keep the signature as is).
- Some web-servers donāt have the rule that do not accept any algorithm other than one algorithm (Weak Governance practices).
- This attack was very famous for the past few years and till the moment of writing this article it is found in many top companies .
- Refer to my friend here for distilled None-algorithm attack: https://blog.pentesteracademy.com/hacking-jwt-tokens-the-none-algorithm-67c14bb15771
4. Brute Forcing the Signature
- Although this is not considered a vulnerability and you will not get any bounty for this, it is sometimes useful in discovering other vulnerabilities
- This attack only works with HS256 and it wonāt work for asymmetric encryption (unless you have a quantum computer).
- Talking backend wise, some encryption keys are not as good as they should be so it is not completely random and I myself have seen signatures cracked in very short time due to the lack of randomness in generated keys.
- Many tools are available, but I recommend examining the Signature yourself at first then decide what tool you should use, anyways these are the most common tools that I prefer using (you could use burp extension as well).
https://github.com/lmammino/jwt-cracker
https://github.com/x1sec/gojwtcrack
