JWT Token Bypass

Photo by Steve Halama on Unsplash

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

Today, virtually every web developer uses JSON Web Tokens (JWTs) one way or another. OAuth 2.0 and OpenID Connect use them to exchange information between parties. Modern applications use them to keep track of state between requests. Backend services use them to propagate authorization information in a microservice architecture.

A typical JWT token has following components- eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjpudWxsfQ.spzCikhspCdf6XAUci3R4EpJOH6gvZcvkDCVrkGbx7Y

Header

The header typically consists of two parts: the hashing algorithm being used (e.g., HMAC SHA256 or RSA ) and the type of the token (JWT).

{“typ”:”JWT”,”alg”:”HS256"}

Payload

The payload contains statements about the entity (typically, the user) and additional entity attributes, which are called claims. In this example, our entity is a user.

{“user”:null}

Signature

The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn’t changed along the way.
To create a signature, the Base64-encoded header and payload are taken, along with a secret and signed with the algorithm specified in the header.

Types of JWT signature

1)Asymmetric algorithms

In an Asymmetric algorithm, two keys are used to encrypt and decrypt messages. While one key(private) is used to digitally sign the message and the other key(public) can only be used to verify the authenticity of the signature. So basically, John can generate both public and private keys, then send only the public key to Mary to verify his messages. For eg RSA

2)Symmetric algorithm

In a Symmetric algorithm, a single key is used to encrypt the data. When encrypted with the key, the data can be decrypted using the same key. If, for example, Alice encrypts a message using the key “my-secret-key” and sends it to John, he will be able to decrypt the message correctly if and only if he uses the same key i.e. “my-secret-key”. For eg HMAC

How to analyse JWT?

One of the ways to analyze the jwt token , is to use burp extension named “ Json Web Tokens” . It can be added to existing burp configuration through-

Extender →BAPP store →Json web token → Install.

Whenever a request containing a jwt token is being intercepted by the proxy , it would automatically parse token in the request and reflect the decoded values in the adjacent tab. The extension can also be used to further manipulate the value of jwt token in the original request.

Different attacks available against the jwt token

  1. Alg None attack-

The “none” algorithm is being used in alg header of the token when the integrity of a token is already being verified i.e No signature is required.The signature attached at the end is being used as a means to verify whether the value of the payload is same or manipulated.

However the attacker could easily use the above situation to his advantage. For e.g if following is a token , containing a header ,payload and signature the attacker could easily manipulate the value of “alg” header to “None” eliminate the signature part of the token.

When the server receives such form of token , as a result of “None” algorithm it does not perform the signature verification . Thus now the attacker could manipulate the value payload without any server side detection and get vertical or horizontal privilege escalation.

2)Bruteforcing the value of key parameter.

JWT token using HS256 algorithm for signature can be susceptible to bruteforce attack . Sometimes weak secret key is being used on server side to sign the jwt token using HS256 algorithm. This gives attacker a possibility to bruteforce a list secret keys against a given valid token .

Once the actual key has been derived the used could easily manipulate the value of payload header and generate a valid signature.

Amazing tool already available to execute this task is already present at the github https://github.com/rxall/jwt-cracker . It involves the use of pyjwt library to generate and compare signature for given list of keys.

3)Manipulating the Kid parameter-

Multiple keys could be used on the server side to sign a jwt token .The value of the kid parameter is being used as mapping to actual key which is being used for signing the token . “kid” is an optional header claim which holds a key identifier, particularly useful when you have multiple keys to sign the tokens and you need to look up the right one to verify the signature.For eg is ‘“kid”:1’ then key having index 1 on server side will be used to sign the token.

For an attacker the interesting thing to look here is that the value of the kid parameter could be modulated leading to sql injection or directory traversal.

Thus instead of sending a numeric value a attacker can send “/dev/null”. ”dev/null” is a special filesystem object that throws away everything written into it. Since the content in it is null & void , server when trying to use its value to sign a token will not produce any signature . Thus attacker could easily manipulate the value of payload without any need to generate the signature.

--

--

--

Security Engineer|Bug Hunter twitter-@Cyb3rlant3rn

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Weekly Update #1

6 Secrets That Experts Of IoT Security In 2020 Don’t Want You To Know

Iris Recognition Market is projected to reach a value of over USD 7.7 billion by 2027

Analysis of a Malspam Email and Emotet IOC’s

{UPDATE} Color Twin Hack Free Resources Generator

What WhatsApp’s Spyware Vulnerability Means for WhatsApp Business Users

{UPDATE} Aggressive Skateboarding Hack Free Resources Generator

The Cryptozoan — March 19th, 2022 Update

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cyb3rlant3rn

Cyb3rlant3rn

Security Engineer|Bug Hunter twitter-@Cyb3rlant3rn

More from Medium

How to translate in Ionic 5 Vue Capacitor app — Internationalization and Localization

What is node js ? How do you get started with your first node js project?

What are RESTful API and Koa js ?

How to Build a JavaScript Global Meeting Planner Application