JWT attacks
JWT attacks involve a user sending modified JWTs to the server in order to achieve a malicious goal. Typically, this goal is to bypass authentication and access controls by impersonating another user
What are JWTs?
JSON web tokens (JWTs) are a standardized format for sending cryptographically signed JSON data between systems. They can theoretically contain any kind of data, but are most commonly used to send information ("claims") about users as part of authentication, session handling, and access control mechanisms. Unlike with classic session tokens, all of the data that a server needs is stored client-side within the JWT itself. This makes JWTs a popular choice for highly distributed websites where users need to interact seamlessly with multiple back-end servers.
JWT Attacks
JWT authentication bypass via unverified signature : change the payload
Accepting tokens with no signature
"alg": "none" and remove the signature from the JWT, but remember to leave the trailing dot after the payload.
Brute-forcing secret keys
signing symmetric algorithms, such as HS256 (HMAC + SHA-256)
wordliste : https://github.com/wallarm/jwt-secrets/blob/master/jwt.secrets.list
JWT header parameter injections
jwk (JSON Web Key) - Provides an embedded JSON object representing the key.
jku (JSON Web Key Set URL) - Provides a URL from which servers can fetch a set of keys containing the correct key.
kid (Key ID) - Provides an ID that servers can use to identify the correct key in cases where there are multiple keys to choose from. Depending on the format of the key, this may have a matching kid parameter
Injecting self-signed JWTs via the jwk parameter
1.With the extension loaded, in Burp's main tab bar, go to the JWT Editor Keys tab.
2.Generate a new RSA key.
3.Send a request containing a JWT to Burp Repeater.
4.In the message editor, switch to the extension-generated JSON Web Token tab and modify the token's payload however you like.
5.Click Attack, then select Embedded JWK. When prompted, select your newly generated RSA key. 6.Send the request to test how the server responds.
Injecting self-signed JWTs via the jku parameter
some servers let you use the jku (JWK Set URL) header parameter to reference a JWK Set containing the key. When verifying the signature, the server fetches the relevant key from this URL.
Modify and sign the JWT
/.well-known/jwks.json
/jwks.json
Injecting self-signed JWTs via the kid parameter
If this parameter is also vulnerable to directory traversal, an attacker could potentially force the server to use an arbitrary file from its filesystem as the verification
Algorithm confusion attacks
1.Obtain the server's public key
2.Convert the public key to a suitable format
3.Create a malicious JWT with a modified payload and the alg header set to HS256.
4.Sign the token with HS256, using the public key as the secret.
docker run --rm -it portswigger/sig2n
Tools
General info
Attacks
Header
Payload
Last updated