Greeting Everyone! Today we are going to discuss on JWT authentication How sometimes it vulnerable JWT Is modern Technology which Maintain User session cookie . JWT to pass secure information communication between users and servers. JWT Tokens are in JSON format and includes a token signature which protect against More . But sometimes JWT Can Be Vulnerable they can be exploited by attackers to bypass access control system.
What Is JWT?
JSON Web Token is an Internet standard for creating data with an optional signature JWT maintains a cryptographic signature, for example, HMAC over the data. A JWT schema contains of three components: a header, a payload, and a signature. JWT Which securely Transfers data between two parties.
How To verify JWT?
JWT Token looks like
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJtZXJjaGFudF91c2VyX2lkIjo2NTg1Mywic2NvcGUiOiJtZXJjaGFudCIsIlJlZnJlc2hUb2tlblVVSUQiOiIi
LCJlbnZpcm9ubWVudCI6InByb2R1Y3Rpb24iLCJsYWJlbCI6InNlenpsZSIsImV4cCI6MTU5NjEwMDM5MywiaXNzIjoiU2V6emxlIn0.qA0V3yQFkeJRvtIoakgYR
lH1xbfYnJNJFG7q9LCG90
JWTs can be Used As Header Section Of request :
Authorization: Bearer eyJ0eKNMkkJiOiJKV1QiLCJh…How It Vulnerable?
Always Check Sensitive Data: Information Disclosure
In JWT sometimes Exposed Sensitive data tokens so here we need to decrypt JWT. In Jwt Sometimes Exposed Sensitive Data in the token So here we need to decode the JWT Value Which is in base64 URL encoding format and header section of JWT
In the above, we see a header with algorithms of encryption basically JWT Use HMAC & RSA To find some sensitive value inside JWT we need to decode base64 value We can use Burp decoder & https://www.jsonwebtoken.io/
After Decode Value Look like:
As Above picture JWT Token which consists of a User ID & Password Could Lead to User Data exposure attacker can Easily spoof and could impact the end user.
Changing the algorithm to none:
JWT Basically sometimes Verify algorithm as none. If we specify none algorithm in the header some implementations may accept our JWT as correctly signed at that time which is possible or bypass. Here we will use burp to change the algorithm As none,
As above, we can set it as none and we can check for a response If it is vulnerable you can easily bypass the restriction schema.
Directory traversal:
Using JWT we can gain access directory traversal if we look for payload section on JWT format there is header KID which help to retrieves key file from file system if target is vulnerable we can retrieve some sensitive information,
As above picture which shows header KID in this case the attacker can force the application into using a publicly available file as the key.
In this case as above pic we can inject Payload inside JWT Token Which could lead Directory traversal.
Crack the key Using Brute force :
Sometime attacker use Trick to gain access JWT restriction Attacker try to brute force on secret key With Different Key Value . Here By trying a lot of keys on a JWT and checking whether the signature is valid we can discover the secret key.
Some of tool we can bruteforce HS256 signature :
JWTBRUTE, JOHN, CrackJwt Python
Command Injection:
If target Is vulnerable we can fetch directly command injection from insecure Flow as we discuss KID which help to retrieve Files in this can attacker can possible to inject command into the code flow.
As above picture attacker can inject payload inside KID Header Which Could lead to Command Injection .
As we discussed Basic about How Jwt Are Vulnerable in some cases which could Be exploitable . As application passes any of the header parameters we not properly filtered In this case Attacker can gain access and Compromise Jwt schema. we discuss How user Data could be Expose through Jwt .
Thank You !
Author
Pallab Jyoti Borah
VAPT Analyst
