Post

JWT Stuff

Posted Updated
Preview Image
By
2 min read
JWT Stuff

JWT Hacking Stuff

Table of Content

  • jwt
  • Json Vs JWT
  • jwt Parts
  • Types
  • Attacks

JWT

  • It stands for JSON Web Tokens (JWT).
  • JSON is a lightweight, human-readable format for representing structured data and is widely used to exchange data between client and server.
  • JSON sends data as plain text, making it easy to read and parse.
  • Unlike plain JSON, JWT encodes data using Base64URL encoding (not encryption) for safe, compact transmission.

Parts

JWT is divided into three parts, separated by dots: header.payload.signature image

  1. The JOSE (JSON Object Signing and Encryption) header (Signing algorithm, Token type):-
    1

    {"alg": "HS256","typ": "JWT"}
  2. The payload (Contains the actual data or claims about the user and token):-
    1

    {"sub": "1234567890","name": "John Doe","isAdmin": false}
  3. The signature (Ensures the token has not been tampered with):-
    1

    HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload),secret_key)

JWTs are signed, not encrypted by default. For confidentiality, use JWE (JSON Web Encryption)

Types

JWT (JSON Web Token) is not a single token type but a standard that can be implemented in different ways, primarily as JWS or JWE.

  1. JWS (JSON Web Signature):

    Use JWS when you need authentication and integrity (most common).

  2. JWE (JSON Web Encryption)

    Use JWE when you need data confidentiality (e.g., cross-domain SSO with sensitive claims).

Attacks

1. JWT authentication bypass via unverified signature

No Signature Verification It simple mean that remove the signature part and add username as administrator.

image

1
2
3
4
5
6
7
8
9
10
11

[Header]
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
[Payload]
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.
[Signature] --> Remove this part and add username as (admin, root, or administrator) and Sends it...
KMUFsIDTnFmyG3nMiGM6H9FNFUROf3wh7SmqJp-QV30

[Original JWT]
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.KMUFsIDTnFmyG3nMiGM6H9FNFUROf3wh7SmqJp-QV30
[Final JWT]
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.

2. JWT authentication bypass via flawed signature verification

Add Algo to none and Remove the signature. None type attack via Burp It simple mean that change the jwt header into a none type algo and add username as administrator.

3. JWT authentication bypass via weak signing key

Brute Force Secret With Burp and Sign with original Secret, by adding username as administrator It simple mean that the secret is weak and easy to crack.

4. JWT authentication bypass via jwk header injection

Create New RSA Key and Embedded JWK. It simple mean that, we create a public key to sign our token and server will no longer check public RSA Key.

Web Exploitation
jwt-hacking jwt
This post is licensed under CC BY 4.0 by the author.