Pentesting jwt

{
Pentesting JWT
By Jaya Kumar Kondapalli

WhoAM I?
Just a Security Enthusiast
Was Functional tester by chance..
Now, Penetration tester by choice..
I feel Shy talking about myself

History behind JWT?
What is JWT and it’s structure?
Security concerns with JWT
Recommendations
Agenda

Have you ever seen data like this??
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIi
wibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF
2QT4fwpMeJf36POk6yJV_adQssw5c
Have you observed any pattern in the above value??

Let’s go back to History:
HTTP is Stateless
Select queryPost /login
User=Jay&pass=xyz
200 Ok
Set-cookie:Name=Jay
Found Jay
Browser Server
GET /profile
Cookie:name=Jay
/profile
Hi Jay

Select query
Post /login
User=Jay&&pass=xy
200 Ok
Set-cookie:sessionid=6swe.. Set id=6swe…[]
Get /homepage
Cookie:sessionid=6swe…
Browser Server
Storage where reference s
200 ok
response
Found Jay
Id=6swe
..

Is there any alternative approach instead of storing user’s
state at server side??
Statelessness
which is more preferable for API’s authentication where
Authentication can be done by one server(Authentication
server) and resource can be retrieved by another
server(resource server)
Example: Any single sign on implementation

Select query
Post /login
User=Jay&&pass=xyz
200 Ok
Set-cookie: eyr…[]
Get /homepage
Cookie: eyr…[]
Write + Sign
Verify + Read
200 ok
response

A JSON Web Token (JWT) is a JSON
object that is defined in RFC 7519 as a
safe way to exchange set of information
between two parties. The token is
composed of a header, a payload, and a
signature.
What it JWT??

Structure of JWT??
Both Header and payload are base64 encoded values not encrypted Values..
So anyone can decode header and payload values..

{
"alg": "HS256",
"typ": "JWT"
}
In short header says what algorithm is
being used to create signature
Header : Header part contains Meta Data

Claims:
{
"iss": "Identifier of our Authentication
Server",
"iat": 1504699136,
"sub": "github|353454354354353453",
"exp": 1504699256
}
Payload: Actual data to be exchanged between
two parties

• aud (audience): Recipient for which the JWT is intended
• iss (issuer): Issuer of the JWT
• sub (subject): Subject of the JWT (the user)
• exp (expiration time): Time after which the JWT expires
• nbf (not before time): Time before which the JWT must not be accepted
for processing
• iat (issued at time): Time at which the JWT was issued; can be used to
determine age of the JWT
• jti (JWT ID): Unique identifier; can be used to prevent the JWT from
being replayed (allows a token to be used only once)
More Claims..

HMACSHA256(
base64UrlEncode(header) + "."
+ base64UrlEncode(payload),
secret)
Signature : This part handles
integrity

Now, the important question
what are the security concerns
with JWT..??

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3
ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwic3NuIjoiNzg5MTIzNDU2Ny
IsImRvYiI6IjE1LTA4LTE5OTgiLCJpYXQiOjE1MTYyMzkwMjJ9.tEN
6j4ZeHfeU9HdcpRD9ecF37Xr48CTwxqBBYWRfAwg
Since header and payload are base64 encoded, anyone can decode it
to view data. If we decode above token, you can view sensitive data
Information Leakage
Two mitigate this issue, JWT token has to be implemented in JWE format

JWT is classified based on JOSE
JWT can be implemented in Two ways
1. JWS (JSON web Signature )
2. JWE (JSON web Encryption)
To mitigate information leakage vulnerability one has to
implement JWE

Decode header value and change ‘alg’ value as ‘none’
and encode it again.
Since we are changing algorithm as none, no need to
have signature value.. Let’s try..
Demo time:
http://demo.sjoerdlangkemper.nl/jwtdemo/hs256.php
Check if JWT supports ‘NONE’ as
algorithm

Symmetric Algorithm(Single
key concept)
Asymmetric algorithm (Public
key and private key concept)
What are the cryptography algorithms can be
used to create signature

What could be possible hacks??
Bruteforcing is possible
Demo time with jwt.io
In case of symmetric algorithm key strength
of secret is very crucial.
If it weak, it can be easily brute forcible
using any brute forcing tools like (John the
ripper..)
What if Symmetric alg used?

Demo with RS256
What if Asymmetric alg used?
What if I convert alg value from ‘RS256’ to ‘HS256’ and
What if I consider public key as secret to create a signature??

 Question is how to get Public key..!!
 openssl s_client -connect
zonksec.com:443 | openssl x509 -pubkey
-noout
 Get with the help if android application
exists
Conti..

Possibility of authorization bypass exists if developer’s
appends payload parameters into URL parameters..
Eg: Employee id parameter in both JWT token and as URL parameter
GET /Empinfo?employeid=544123
Host: xyz.com
Authorization:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0
NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwic3NuIjoiOTIzNDQ1Njc5IiwiZ
W1wbG95ZWlkIjoiNTQ0MTIzIiwiaWF0IjoxNTE2MjM5MDAyMn0.lLX7hN
kRJzZsk_4xuzmPZwStfVe8s20caJEOqpBcrlA
Note: This scenario mayn’t come into JWT’s security bucket but possibility of security threat is there if developers
transmits parameters values in both as part of JWT and as part of URL parameters
Authorization Bypass

Jsonwebtokens extension
Json-webtokenattacker extension for
checking RSA
Burp Automation Support

 Recommended to use Asymmetric algorithm to
create signature. Incase of symmetric algorithm key
has to be shared with resource server(if multiple
resource server’s exists it would be a problem..!!)
 Use an appropriate Key size
 Don’t pass sensitive data as part of JWT
 Always verify ‘alg’ value at server side such that it
should not contains ‘none’ as value for ‘alg’ field
Recommendations

 https://www.sjoerdlangkemper.nl/2016/09/28/attacking-jwt-
authentication/
 https://github.com/hashcat/hashcat/issues/1057
 https://www.nccgroup.trust/uk/about-us/newsroom-and-
events/blogs/2019/january/jwt-attack-walk-through/
References:

Pentesting jwt

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Pentesting jwt

Similar to Pentesting jwt (20)

Recently uploaded

Recently uploaded (20)

Pentesting jwt