What is a Json web token (JWT)?

A Json web token is an open standard that defines the compact and secure way of transmitting data or information. It is considered as secure as it is digitally signed.

A JWT token still makes a claim with respect to the parties who have signed it. It can be also encrypted to provide secrecy.

When is Json web token (JWT) used?

It is mostly used in two scenarios

1.Authentication

Once the user is logged-In, for each subsequent request will send a Json web token with it, allowing the user to access routes, resources, etc.

2.Information Exchange

JSON Web Tokens are a good way to transmit information between parties securely. Since it is possible to sign JWTs, such as using public/private key pairs, you can be confident that the senders are who they claim they are.

JWT DecoderFig -1.1 JWT Decoder

Structure of Json web token (JWT)

The JWT token consists of three parts separated by ( . )

1.Header: Consists of two parts which token is used, and algorithm used like Hmac,sha256, etc. and its base64 encoded.

  1. Payload: Payload contains info about the claim. claims regarding user information and they are of 3 types registered, public, and private, and its base64 encoded.

3.Signature: The signature is basically used to check the integrity of the data so that it should not get tampered with.

It is created by the server using:

Algorithm {header + payload} — secret key

 

What is the use of the kid parameter in Json web token (JWT)?

The “kid” (key ID) Header Parameter is a hint indicating which key was used to secure the JWS. This parameter allows originators to

explicitly signal a change of key to recipients.  The structure of the “kid” value is unspecified.  Its value should be a case-sensitive string.

 

How to recognize a JWT token?

JWT token usually starts with base64 char “ey” and it is separated by two dots(.)

 

Algorithms

1.Symmetric

This mechanism requires a single key to create and verify the JWT.

The most common algorithm for this type is HS256.

2.Asymmetric

This mechanism requires a “Public” key for verification and a “Private” key for signing the Signature.

The most common algorithm for this type is RS256.

Multiple signature methods can be used to check the integrity of JWT:

  • RSA based
  • Elliptic curves
  • HMAC
  • None

 

Now Let’s see different methods for exploiting the Json web token.

 

1.None-Algorithm

If an application fails to verify the value of “alg” header, then we can change its value to “none” and this way it omits the need for a valid Signature for verification.

 

Cracking a sample Json web token (JWT) using base64 decode.

Base64 DecodeFig -1.2 Base64 Decode

 Now encode it back changing algorithm from HS256 to None and pass it on.

 

  1. Change Algorithm from RS256 to HS256

RS256 algorithm needs a private key in order to tamper the data and a corresponding public key to verify the authenticity of the Signature. But if we change the signing algorithm from RS256 to HS256, we will make the Application use only one key to do both tasks which is the usual behavior of the “HMAC” algorithm.

Hence, in this method, the workflow would convert from Asymmetric to Symmetric encryption and now we can sign the new tokens with the same public key.

But where is public key found?

In a real scenario, you may get to get the public key from a JavaScript script or from a mobile application.

 

Let’s use JWT_tool written in python for this exploitation.

The following command is used in this scenario. (What to use here – is  or  are  ?)

python3 JWT_tool.py <JWT> -S hs256 -k public.pem

Json web token TOOL PAYLOAD FOR CHANGE RS256 TO HS256 ALGORITHM ATTACKFig-1.3 JWT TOOL PAYLOAD FOR CHANGE RS256 TO HS256 ALGORITHM ATTACK

(Figure must be outline and tagged with a figure number and a name)

Here first we have to download the public key from the possible sources and then sign the token with HS256 algorithm using that key. This way we can produce new tokens and can inject payload in any existing claim.

 

  1. Signature Not Being Checked

while Recon the data in the Header and Payload section, if the App returned no error, then it means Signature is not being checked after it has been signed by the Authorization Server. This way we can inject the payload in the assertion and the token will always be valid.

The following command is used in this scenario.

python3 JWT_tool.py <JWT> -I -pc name -pv admin 

JWT TOOL PAYLOAD FOR SIGNATURE NOT CHECKED Fig-1.4 JWT TOOL PAYLOAD FOR SIGNATURE NOT CHECKED 

The signature part is unchecked so we can tamper with the name field in the payload section and gain higher privileges.

 

Author,

Saketh Reddy Malepu

Attack & Pentest Team

Varutra Consulting Pvt.Ltd