Greeting Everyone! Today we are going to discuss on JWT authentication How sometimes it vulnerable JWT Is modern Technology which Maintain User session cookie . JWT to pass secure information communication between users and servers. JWT Tokens are in JSON format and includes a token signature which protect against More . But sometimes JWT Can Be Vulnerable they can be exploited by attackers to bypass access control system.
What Is JWT?
JSON Web Token is an Internet standard for creating data with optional signature JWT maintain a cryptographic signature, for example a HMAC over the data. A JWT schema contain of three components: a header, a payload, and a signature. JWT Which securely Transfer data between two parties .
How To verify JWT?
JWT Token look like
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJtZXJjaGFudF91c2VyX2lkIjo2NTg1Mywic2NvcGUiOiJtZXJjaGFudCIsIlJlZnJlc2hUb2tlblVVSUQiOiIiLCJlbnZpcm9ubWVudCI6InByb2R1Y3Rpb24iLCJsYWJlbCI6InNlenpsZSIsImV4cCI6MTU5NjEwMDM5MywiaXNzIjoiU2V6emxlIn0.qA0V3yQFkeJR-vtIoakgYRlH1xbfYnJNJFG7q9LCG90
JWTs can be Used As Header Section Of request :
Authorization: Bearer eyJ0eKNMkkJiOiJKV1QiLCJh…How It Vulnerable?
Always Check Sensitive Data:Information Disclosure
In JWT sometimes Exosed Sensitive data token So here we Need To decrypt JWT. In Jwt Sometimes Exposed Sensitive Data in token So here we need to decode JWT Value Which is in base64 url encoding format And header section of JWT
As above picture we see header with algorithms of encryption basically JWT Use HMAC & RSA To find some sensitive value inside JWT we need to decode base64 value We can use Burp decoder & https://www.jsonwebtoken.io/
After Decode Value Look like:
As Above picture JWT Token which consist User ID & Password Which Could Lead User Data expose attacker can Easily spoof and which could be impact end user .
Changing the algorithm to none:
JWT Basically sometimes Verify algorithm as none . If we specify none algorithm in the header some implementations may accept our JWT as correctly signed that time which possible or bypass . Here we will use burp to change algorithm As none ,
As above pic we can set as none and we can check for response If it vulnerable you can easily bypass restriction schema.
Directory traversal:
Using JWT we can gain access directory traversal if we look for payload section on JWT format there is header KID which help to retrieves key file from file system if target is vulnerable we can retrieve some sensitive information ,
As above picture which shows header KID in this case the attacker can force the application into using a publicly available file as the key.
In this case as above pic we can inject Payload inside JWT Token Which could lead Directory traversal.
Crack the key Using Brute force :
Sometime attacker use Trick to gain access JWT restriction Attacker try to brute force on secret key With Different Key Value . Here By trying a lot of keys on a JWT and checking whether the signature is valid we can discover the secret key.
Some of tool we can bruteforce HS256 signature :
JWTBRUTE, JOHN, CrackJwt Python
Command Injection:
If target Is vulnerable we can fetch directly command injection from insecure Flow as we discuss KID which help to retrieve Files in this can attacker can possible to inject command into the code flow.
As above picture attacker can inject payload inside KID Header Which Could lead to Command Injection .
As we discussed Basic about How Jwt Are Vulnerable in some cases which could Be exploitable . As application passes any of the header parameters we not properly filtered In this case Attacker can gain access and Compromise Jwt schema. we discuss How user Data could be Expose through Jwt .
Thank You ! Author : pallab jyoti Borah ! VAPT Analyst
English
Arabic