How does jwt works

1.browser make a post request with username & password and its send to the server

2.server generate a token with the credential and send back to the browser

3.when we need to access anything in the server web-page its send the same json-web-token

4.server get the jwt and verify the token

Jwt have three important components :

Header

header have base64 encoding format of json ,it has which algorithm is used to encrypt the data and which type is used .

{
 "alg" : "RS256",
 "typ" : "JWT"
}

Payload

Payload also base64 encoding format .Its contain actual data

{ "user" : "admin" }

Signature

Signature is used to validate the token .

signature = HMAC-SHA256(base64urlEncode(header) + '.' + base64urlEncode(payload), secret_key)

Create token with python

Install jwt
1.pip install pyjwt

JWT_TOKEN

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiYWRtaW4ifQ.LRI2xVvutYO5zFbxtG5KW1aKoZNYPXfclTAgZv5JfVQ

we already know its has base64 encoded

base64(header)+.+base64(payload)+.+signature(base64(header)+.+base64(payload),secret)

Decoded values

Header

Payload

using base64urlEncoding so its omit the “==” sign we need to put and get the valid JWT payload

Signature we don’t want to decode it and its useless

POSSIBILITIES FOR VULNERABLITIES

NONE ALGORITHM(change the alg to None,none,None,&remove the sign)
RS256 => TO =>HS256
WEAK PASSWORD (weak password to create a hs256 token)
It has many vulnerable also but i did something

NONE

none algorithm to modify the data .I logged in and get the jwt. Its above token

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyJ9.eyJsb2dpbiI6InVzZXIiLCJpYXQiOiIxNTk4NTkwODg3In0.MzViZWIzNDY4NTU2YjdjYmRjZGM0YjRiM2Y0YzkzZjBhZGMwZDY4ZGE1YTRjNTc1NDcxNGE2ZjFmM2U0NmVkMw

first we need to check None algorithm. change to None and remove signature. And change user into admin

code

github-code

RS256 ==> HS256

Change the algorithm type . The main important thing is

RS256 use asymmetric key ,so it has private and public key also

private-key-to ===>sign

public-key-to ===>verify

HS256 use symmetric key , so it has secret key only

steps is we need to change the algorithm to use validate the token

so the server thinking is “okay its HS256 algorithm so we use HS256 to verify the token”

So we want secret for HS256 . Its present on public-key

github-code

Weak secret

HS256 use a symmetric key so sometimes the key is weak ,we easily bruteforce and get the key-value

first I already create token using HS256 algorithm ,using a pyjwt

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiYWRtaW4ifQ.LRI2xVvutYO5zFbxtG5KW1aKoZNYPXfclTAgZv5JfVQ

so we don’t know what is the password it has ?,i need to use rockyou or cewl to create custom password list .

I use a simple word list for cracking

github-code

Ctf-Is-Cool

Header Ads Widget

JWT Hacking

How does jwt works

Header

Payload

Signature

Create token with python

JWT_TOKEN

Decoded values

Payload

NONE

RS256 ==> HS256

github-code

Weak secret

Post a Comment

0 Comments

Popular Posts

Labels

Random Posts

Popular Posts

Wifi Hacking Using ESP8266

Arduino Bluetooth Basic Tutorial

JWT Hacking

Contact Form

Menu Footer Widget

Ctf-Is-Cool

Header Ads Widget

JWT Hacking

How does jwt works

Header

Payload

Signature

Create token with python

JWT_TOKEN

Decoded values

Payload

pre { font-family: "Liberation Mono", monospace; font-size: 10pt; background: transparent } p { margin-bottom: 0.1in; line-height: 115%; background: transparent } strong { font-weight: bold }

NONE

RS256 ==> HS256

github-code

Weak secret

You may like these posts

Post a Comment

0 Comments

SOCIAL MEDIA

Popular Posts

Labels

Random Posts

Popular Posts

Wifi Hacking Using ESP8266

Arduino Bluetooth Basic Tutorial

JWT Hacking

Contact Form

Menu Footer Widget