JWT
Definition: JSON Web Tokens (JWTs) are standardized, cryptographically signed JSON data formats for exchanging information, commonly used in authentication and access control.
Storage: JWTs store all necessary data client-side, making them ideal for distributed systems.
Structure: Consists of three parts: header, payload, and signature, separated by dots.
Header & Payload: Both are base64url-encoded JSON objects; the header contains metadata, while the payload includes user claims (e.g., name, email).
Security: The integrity of a JWT relies on its cryptographic signature, which is created using a secret signing key; any modification to the header or payload invalidates the signature.
https://github.com/wallarm/jwt-secrets/blob/master/jwt.secrets.list
unverified jwt
change user or maybe isAdmin payload key
unverified signature
change alg to none
- Injecting self-signed JWTs via the jwk parameter
New RSA Key
In request JWT payload, change the value of the sub claim to administrator
Select Attack, then select Embedded JWK with newly generated RSA key
Observe a
jwk
parameter now contain our public key, sending request result in access to admin portal
Injecting jku header with self signed key
Generate New RSA Key pair automatically, and ignore the size.
On the exploit server body create empty JWK
{ "keys": [ ] }
.Copy Public Key as JWK from the new RSA key pair generate in previous step, in between the exploit body square brackets
[ paste ]
.Copy kid value of generate RSA key into the
/admin
request JWT headerkid
value.Set new
jku
parameter to the value of the exploit server URLhttps://exploit-server.net/exploit
.Change JWT payload value of the
sub
claim toadministrator
.On the
/admin
request in repeat, at bottom of the JSON Web Token tab, clickSign
.On Sign option, then select the
RSA signing key
that was generated in the previous steps.Send request, and gain access to admin portal.
kid path traversal
Generate a new Symmetric Key and replace
k
property with the base64 null byteAA==
change kid path to null:
Brute Force secret
Brute force weak JWT signing key using
hashcat
.Hashcat result provide the secret, to be used to generate a forged signing key.
JWT Editor Keys tab and click New Symmetric Key. In the dialog, click Generate to generate a new key in JWK format.
Replace the generated value for the
k
property with the Base64-encoded secretn the payload, change the value of the
sub
claim toadministrator
At the bottom of the tab, click
Sign
, then select the key that you generated in the previous section.Make sure that the
Don't modify header
option is selected, then clickOK
. The modified token is now signed with the correct signature
Last updated