- https://twitter.com/BHinfoSecurity/status/1299743624553549825?s=09
- https://youtu.be/ghfmx4pr1Qg ( very begginer friendly)
- https://medium.com/ag-grid/a-plain-english-introduction-to-json-web-tokens-jwt-what-it-is-and-what-it-isnt-8076ca679843
- https://medium.com/swlh/hacking-json-web-tokens-jwts-9122efe91e4a
- What the heck is this ?!
1. It is an authentication type
2. It consists of header,payload,Signature
- Header
{
"alg" : "HS256",
"typ" : "JWT"
}
- Payload
{
"loggedInAs" : "admin",
"iat" : 1422779638
}
- Signature
HMAC-SHA256
(
secret,
base64urlEncoding(header) + '.' +
base64urlEncoding(payload)
)
- Changing alg to null
- Example
{
"alg" : "NONE",
"typ" : "JWT"
}
Note;;////--remove the signuature
You can also use none,nOne,None,n0Ne
- Change the payload like
Payload
{
"loggedInAs" : "admin",
"iat" : 1422779638
}
- Here change user to admin
- First decode full token or 1 1 each part of token to base64
- Change the payload use jwt web token burp
- Changing encrption rs256 to sh256
- Signature not changes remove it or temper it,
- Brute forcing the key in hs256 because it use same key to sign and verify means publickey=private key
1) Create a account
2) Inspect the token
3) Base64 decode the header
4) If any Kid= parameter are there so you can find some bugs
5) Using that parameter you can also find directory traversal , i tell you how
6) Change that kid= parameter with you directory traversal payload
7) Change payload {"user":"admin"}
8) Create a python script that generate a exploit token. (If you want that script so dm me in Twitter )
9) Put that token and reload the page
10) Done
-
Jwt token attack burp extention
(Link - https://github.com/portswigger/json-web-token-attacker)
-
Base64 decoder
-
jwt.io to analyse the struct of token
-
jwt cat for weak secret token
- Youtube,Medium,Github,Google