Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

JWT: jku x5u

3,688 views

Published on

Talk on JWT jku and x5u and how to attack them

Published in: Internet
  • Be the first to comment

JWT: jku x5u

  1. 1. JWT jku&x5u = ❤ Attacking JSON WEB TOKENS… Louis Nyffenegger @PentesterLab louis@pentesterlab.com
  2. 2. About me PentesterLab.com / @PentesterLab Security Engineer PentesterLab: Pentester/Code Reviewer/Security consultant/Security architect Platform to learn web security/penetration testing 100% Hands-on Available for individuals (free and PRO) and enterprises Run a website to help people learn security
  3. 3. Who uses JWT? PentesterLab.com / @PentesterLab • A lot of people for OAuth2 • A lot of people for sessions • A lot of people to manage trust • A lot of people for password reset • A lot of people who care about being stateless and multi-datacenter architecture
  4. 4. Crypto 101
  5. 5. Signature vs Encryption PentesterLab.com / @PentesterLab Encryption gives you confidentiality Signature gives you integrity
  6. 6. Multiple ways of signing PentesterLab.com / @PentesterLab • With a secret using HMAC • With a private key using RSA/EC/… (asymmetric)
  7. 7. Signing with a secret PentesterLab.com / @PentesterLab Sign! Verify! Secret
  8. 8. Signing: asymmetric PentesterLab.com / @PentesterLab Sign! PrivatePublic Verify!
  9. 9. THE JWT FORMAT
  10. 10. JavaScript Object Notation (JSON) PentesterLab.com / @PentesterLab Human readable format to store or transmit objects
  11. 11. The Compact JWS Format PentesterLab.com / @PentesterLab Header Payload Signature 3 parts in a JSON Web Token:
  12. 12. The Compact JWS Format PentesterLab.com / @PentesterLab Header Payload Signature Separated by a dot . .
  13. 13. The Compact JWS Format PentesterLab.com / @PentesterLab eyJ0eXAiOiJK V1QiLCJhbGci OiJIUzI1NiJ9 eyJsb2dpbi I6ImFkb WluIn0 FSfvCBAwypJ4abF6 jFLmR7JgZhkW674 Z8dIdAIRyt1E Separated by a dot . . eyJ = Base64('{"')
  14. 14. The Compact JWS Format PentesterLab.com / @PentesterLab Base64({…}) Base64({…}) Base64(…) Header and Payload are base64* encoded JSON . . * urlsafe base64 encoding without padding The signature is also base64 encoded
  15. 15. The Compact JWS Format: Encoding PentesterLab.com / @PentesterLab Urlsafe base64 encoding without padding: *https://tools.ietf.org/html/rfc7515#appendix-C
  16. 16. The JWT Format: header PentesterLab.com / @PentesterLab Base64({"alg": "HS256", "typ": "JWS"}) The header contains an algorithm “alg” attribute: In this example HMAC with SHA256 was used To tell how the token was signed. … . . …
  17. 17. The JWT Format: Algorithms PentesterLab.com / @PentesterLab A lot of different algorithms are supported*: None * https://jwt.io/ covers most HS256 HS384 HS512 RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512
  18. 18. The JWT Format: payload PentesterLab.com / @PentesterLab … The payload may contain literally anything: Base64({"user":"admin", "roles": ["adm","users"]}). . …
  19. 19. The JWT Format: payload PentesterLab.com / @PentesterLab The payload may contain registered claims: Base64({"user":"admin", "exp":12…, "iat":1234.. }). .… …
  20. 20. The JWT Format: creating a token PentesterLab.com / @PentesterLab • Create the JSON header and base64 encode it • Create the JSON payload and base64 encode it • Concatenate with a dot the (encoded) header and payload • Sign the result (header+.+payload) • Base64 encode the signature • Append a dot then the signature
  21. 21. The JWT Format: verifying a token PentesterLab.com / @PentesterLab • Split the token in three parts based on the dots • Base64 decode each part • Parse the JSON for the header and payload • Retrieve the algorithm from the header • Verify the signature based on the algorithm • Verify the claims
  22. 22. Classic JWT attacks PentesterLab.com / @PentesterLab • None algorithm • Trivial secret • Algorithm confusion • Injection in the kid parameter • CVE-2018-0114 •
  23. 23. jku & x5u
  24. 24. jku and x5u PentesterLab.com / @PentesterLab • If you read some of the JWS RFC, you probably learnt about jku and x5u parameter for the headers • People are starting to use jku (JWK URL)
  25. 25. The JWT Format: jku&x5u PentesterLab.com / @PentesterLab Base64({"jku": "https://...", ...}) … . . … Base64({"x5u": "https://...", ...}) … . . …
  26. 26. The JWT Format: jwk PentesterLab.com / @PentesterLab { "keys": [ { "kty": "RSA", "use": "sig", "kid": "pentesterlab", "n": "oTtAXRgdJ6Pu0jr3hK3opCF5uqKWKbm4Kkq...vTF0FGw", "e": "AQAB", "alg": "RS256" } ] }
  27. 27. The JWT Format: x5c PentesterLab.com / @PentesterLab { "keys": [ { "kty": "RSA", "use": "sig", "kid": "pentesterlab", "x5c": "MIIDWDCCAkACCQCnE....fpye27SQbC2fBxebsek=", "alg": "RS256" } ] }
  28. 28. jku and x5u PentesterLab.com / @PentesterLab Application Trusted Server User
  29. 29. Application Trusted Server User HTTP Request with JWT1 jku and x5u PentesterLab.com / @PentesterLab
  30. 30. Application Trusted Server User HTTP Request with JWT Parsing of the JWT to extract the “jku” header1 2 jku and x5u PentesterLab.com / @PentesterLab
  31. 31. Application Trusted Server User HTTP Request with JWT Parsing of the JWT to extract the “jku” header1 2 3 Fetching of the JWK based on the “jku” header jku and x5u PentesterLab.com / @PentesterLab
  32. 32. Fetching of the JWK based on the “jku” header Application Trusted Server User HTTP Request with JWT Parsing of the JWT to extract the “jku” header1 2 3 Parsing of the JWK4 jku and x5u PentesterLab.com / @PentesterLab
  33. 33. Application Trusted Server User HTTP Request with JWT Parsing of the JWT to extract the “jku” header1 2 3 Parsing of the JWK4 Verifying the JWT signature using the JWK5 Fetching of the JWK based on the “jku” header jku and x5u PentesterLab.com / @PentesterLab
  34. 34. Application Trusted Server User HTTP Request with JWT Parsing of the JWT to extract the “jku” header Response 1 6 2 3 Parsing of the JWK4 Verifying the JWT signature using the JWK5 Fetching of the JWK based on the “jku” header jku and x5u PentesterLab.com / @PentesterLab
  35. 35. jku and x5u PentesterLab.com / @PentesterLab Application Malicious Server HTTP Request with malicious JWT Parsing of the JWT to extract the “jku” header Response 1 6 2 3 Parsing of the JWK4 Verifying the JWT signature using the JWK5 Attacker Fetching of the malicious JWK based on the “jku” header
  36. 36. jku and x5u PentesterLab.com / @PentesterLab Application Malicious Server HTTP Request with malicious JWT Parsing of the JWT to extract the “jku” header1 2 3 Attacker Fetching of the malicious JWK based on the “jku” header
  37. 37. jku and x5u PentesterLab.com / @PentesterLab Turns out filtering URLs is incredibly hard
  38. 38. jku and x5u : regular expression PentesterLab.com / @PentesterLab https://trusted.example.com => https://trustedzexample.com
  39. 39. jku and x5u : starts with PentesterLab.com / @PentesterLab https://trusted => https://trusted@pentesterlab.com https://trusted/jwks/ => https://trusted/jwks/../file_uploaded https://trusted/jwks/ => https://trusted/jwks/../open_redirect https://trusted/jwks/ => https://trusted/jwks/../header_injection
  40. 40. 3 Fetching of the JWK based on the “jku” header Parsing of the JWT to extract the “jku” header2 Application Trusted Server HTTP Request with malicious JWT1 Malicious Server Attacker jku and Open Redirect PentesterLab.com / @PentesterLab
  41. 41. Parsing of the JWT to extract the “jku” header2 Application Open Redirect Trusted Server HTTP Request with malicious JWT1 Malicious Server 3 Fetching of the JWK based on the “jku” header Attacker jku and Open Redirect PentesterLab.com / @PentesterLab
  42. 42. Parsing of the JWT to extract the “jku” header2 Application Open Redirect Trusted Server 3 Fetching of the JWK based on the “jku” header 3a Redirect to malicious server HTTP Request with malicious JWT1 Malicious Server Attacker jku and Open Redirect PentesterLab.com / @PentesterLab
  43. 43. Parsing of the JWT to extract the “jku” header2 Application Open Redirect Trusted Server 3 Fetching of the JWK based on the “jku” header 3a Redirect to malicious server 3b Fetching of the malicious JWK after following the redirect HTTP Request with malicious JWT1 Malicious Server Attacker jku and Open Redirect PentesterLab.com / @PentesterLab
  44. 44. Parsing of the JWT to extract the “jku” header2 Application Open Redirect Trusted Server 3 Parsing of the JWK4 Fetching of the JWK based on the “jku” header 3a Redirect to malicious server 3b Fetching of the malicious JWK after following the redirect HTTP Request with malicious JWT1 Malicious Server Attacker jku and Open Redirect PentesterLab.com / @PentesterLab
  45. 45. Parsing of the JWT to extract the “jku” header2 Application Open Redirect Trusted Server 3 Parsing of the JWK4 Verifying the JWT signature using the malicious JWK5 Fetching of the JWK based on the “jku” header 3a Redirect to malicious server 3b Fetching of the malicious JWK after following the redirect HTTP Request with malicious JWT1 Malicious Server Attacker jku and Open Redirect PentesterLab.com / @PentesterLab
  46. 46. 3 Fetching of the JWK based on the “jku” header Parsing of the JWT to extract the “jku” header2 Application Trusted Server HTTP Request with malicious JWT1 Attacker jku and Header Injection PentesterLab.com / @PentesterLab
  47. 47. Parsing of the JWT to extract the “jku” header2 Application Header Injection Trusted Server 3 Fetching of the JWK based on the “jku” header HTTP Request with malicious JWT1 Header Injection Attacker Parsing of the JWT to extract the “jku” header2 Application Header Injection Trusted Server 3 Fetching of the JWK based on the “jku” header HTTP Request with malicious JWT1 Header Injection Attacker jku and Header Injection PentesterLab.com / @PentesterLab
  48. 48. Parsing of the JWT to extract the “jku” header2 Application Header Injection Trusted Server 3 Fetching of the JWK based on the “jku” header 3a The jku uses the header injection to reflect the jwk in a response HTTP Request with malicious JWT1 Header Injection Attacker jku and Header Injection PentesterLab.com / @PentesterLab
  49. 49. Parsing of the JWT to extract the “jku” header2 Application Header Injection Trusted Server 3 Parsing of the JWK4 Fetching of the JWK based on the “jku” header 3a The jku uses the header injection to reflect the jwk in a response HTTP Request with malicious JWT1 Header Injection Attacker jku and Header Injection PentesterLab.com / @PentesterLab
  50. 50. Parsing of the JWT to extract the “jku” header2 Application Header Injection Trusted Server 3 Parsing of the JWK4 Verifying the JWT signature using the JWK from the header injection 5 Fetching of the JWK based on the “jku” header 3a The jku uses the header injection to reflect the jwk in a response HTTP Request with malicious JWT1 Header Injection Attacker jku and Header Injection PentesterLab.com / @PentesterLab
  51. 51. Libraries: jku header injection - Exploitation PentesterLab.com / @PentesterLab Exploitation: • Find a Header Injection • Use the Header Injection to return your JWK • Add the Header Injection as jku • Sign the token with your RSA key
  52. 52. jku and x5u: downgrade PentesterLab.com / @PentesterLab • The RFC calls out enforcing TLS to avoid MITM • Few implementations get it wrong: Enforcing when you set the value vs Enforcing when you fetch the key
  53. 53. Conclusion
  54. 54. Recommendations PentesterLab.com / @PentesterLab ✓ Use strong keys and secrets ✓ Don’t store them in your source code ✓ Make sure you have key rotation built-in
  55. 55. Recommendations PentesterLab.com / @PentesterLab ✓ Review the libraries you pick (KISS library) ✓ Make sure you check the signature ✓ Make sure your tokens expire ✓ Enforce the algorithm
  56. 56. Recommendations PentesterLab.com / @PentesterLab ✓ Test for x5u and jku ✓ Don't burn Open Redirect ✓ Read RFC ✓ Hack all the things!
  57. 57. Conclusion PentesterLab.com / @PentesterLab • JWT are complex and kind of insecure by design (make sure you check https://github.com/paragonie/paseto) • JWT libraries introduce very interesting bugs • Make sure you test for those if you write code, pentest or do bug bounties
  58. 58. Any questions? FOR YOUR TIME ! THANKS louis@pentesterlab.com / PentesterLab.com / @PentesterLab

×