search

JWT

  • Definition: JSON Web Tokens (JWTs) are standardized, cryptographically signed JSON data formats for exchanging information, commonly used in authentication and access control.

  • Storage: JWTs store all necessary data client-side, making them ideal for distributed systems.

  • Structure: Consists of three parts: header, payload, and signature, separated by dots.

  • Header & Payload: Both are base64url-encoded JSON objects; the header contains metadata, while the payload includes user claims (e.g., name, email).

  • Security: The integrity of a JWT relies on its cryptographic signature, which is created using a secret signing key; any modification to the header or payload invalidates the signature.

https://github.com/wallarm/jwt-secrets/blob/master/jwt.secrets.listarrow-up-right

  1. unverified jwt

    change user or maybe isAdmin payload key

  2. unverified signature

    change alg to none

  3. hashtag
    Injecting self-signed JWTs via the jwk parameter

    1. New RSA Key

    2. In request JWT payload, change the value of the sub claim to administrator

    3. Select Attack, then select Embedded JWK with newly generated RSA key

    4. Observe a jwk parameter now contain our public key, sending request result in access to admin portal

  4. Injecting jku header with self signed key

    1. Generate New RSA Key pair automatically, and ignore the size.

    2. On the exploit server body create empty JWK { "keys": [ ] }.

    3. Copy Public Key as JWK from the new RSA key pair generate in previous step, in between the exploit body square brackets [ paste ].

    4. Copy kid value of generate RSA key into the /admin request JWT header kid value.

    5. Set new jku parameter to the value of the exploit server URL https://exploit-server.net/exploit.

    6. Change JWT payload value of the sub claim to administrator.

    7. On the /admin request in repeat, at bottom of the JSON Web Token tab, click Sign.

    8. On Sign option, then select the RSA signing key that was generated in the previous steps.

    9. Send request, and gain access to admin portal.

  5. kid path traversal

    1. Generate a new Symmetric Key and replace k property with the base64 null byte AA==

    2. change kid path to null: 

      "kid": "../../../../../../../dev/null"


In the JWT payload, change the value of the sub claim to administrator.

At the bottom of the tab, click Sign, then select the symmetric key that you generated in the previous section.

Make sure that the Don't modify header option is selected, then click OK. The modified token is now signed using a null byte as the secret key.

  6. Brute Force secret

    1. Brute force weak JWT signing key using hashcat.

      hashcat -a 0 -m 16500 <YOUR-JWT> /path/to/jwt.secrets.list

      Hashcat result provide the secret, to be used to generate a forged signing key.

      1. JWT Editor Keys tab and click New Symmetric Key. In the dialog, click Generate to generate a new key in JWK format.

      2. Replace the generated value for the k property with the Base64-encoded secret

      3. n the payload, change the value of the sub claim to administrator

      4. At the bottom of the tab, click Sign, then select the key that you generated in the previous section.

      5. Make sure that the Don't modify header option is selected, then click OK. The modified token is now signed with the correct signature

PreviousSQLi Cheat SheetNextPrototype Pollution

Last updated