Skip to main content

JWT token exploitation by Bruteforce weak signing key


  • Bruteforce weak signing key
    Try to brute force a weak signing key. If you get the secret key that is used for creating the signature, then you can modify data and use that key to create a new signature. In this scenario, the server is validating the signature, but the server is using the weak key for creating the signature.
    I know some of you might be confused about this. Check this blog to understand the digital signature.


Check the above image, if you know the secret you can create your own signature, and that same secret is used for validating the signature at the server end. This is how it works.

For brute force, you can sue any signature dictionary. https://raw.githubusercontent.com/wallarm/jwt-secrets/master/jwt.secrets.list
Copy the JWT token and paste it into the below command and give the path to the dictionary.

Bruteforcing:

hashcat -a 0 -m 16500 <YOUR-JWT> /path/to/jwt.secrets.list
or
python3 jwt_tool.py <JWT Token> -C -d jwt.secrets.list



Let’s say after using the above command you get the secret key: secret1
Now convert the secret key in base64 (c2VjcmV0MQ==) by using the Burp decoder.
Go to the “JWT Editor Keys” in Burp and then click on “New Symmetric key”. Click on “Generate” and replace the value of “k” with the base64 secret key.
We are just saving our key in base64 in the formula so that it can be used for signing the header and payload in the next steps.


Now go back to the repeater in Burp, and change the value in the payload by using “JSON Web Token”. At the bottom of the tab, click “sign”, then select the key that you generated in the previous section. Make sure that the Don’t modify header option is selected, then click OK. The modified token is now signed with the correct signature.


Send the request and observe the successful response. 


JWT:
https://lazyhacker22.blogspot.com/2022/07/jwt-vulnerabilities-list-simple.html
https://lazyhacker22.blogspot.com/2022/06/what-is-jwt-json-web-tokens-simple.html

Labels:

Comments

Post a Comment

Popular posts from this blog

Free Cybersecurity Certifications

Introduction to Cybersecurity Cybersecurity Essentials Networking Essentials Android Bug Bounty Hunting: Hunt Like a Rat Ethical Hacking Essentials (EHE) Digital Forensics Essentials (DFE) Network Defense Essentials (NDE) Introduction to Dark Web, Anonymity, and Cryptocurrency AWS Skill Builder Introduction to Cybersecurity Building a Cybersecurity Toolkit Cyber Aces Free Cyber Security Training Course Introduction to Information Security Penetration Testing - Discovering Vulnerabilities
Post a Comment
Read more

Is your webcam exposed on the internet and everyone enjoying your personal moments? | How to check webcam or security camera is exposed on the internet or not?

Nowadays we start using many technology devices in our homes. Many people are installing CCTV or security cameras in their houses, private rooms, offices, private places, etc for security purposes and monitoring, but many of them don't know how to configure that device securely. So let's talk about CCTV and security cameras only.  What do most CCTV/Security camera users believe? Most users believe that using a strong username and password on a camera administrative page protects them. (Partially true in the case of online cameras) Example: Why it is partially true? It's partially true because you are protecting only the camera administrative page which is also an important part. Still, you are not protecting the protocol used to control streaming media servers (Real-Time Streaming Protocol ( RTSP )). I have seen many online webcams whose administrative page is secured by strong credentials, but they forget to secure the RTSP protocol which gives me access to the streaming ...
Post a Comment
Read more

Web Application Security Testing (WAPT) Interview Questions

Let's Contribute All Together For Creating a Questions Dump What are the vulnerabilities you have to test in the Login form, Payment gateway? What is clickjacking? What is the mitigation of clickjacking? What is CSRF? How to mitigate CSRF? Let's take an example, If a developer implements a CSRF token in a cookie, will it mitigate the CSRF issue? Is it possible to mitigate the CSRF by header? If yes why, if No why? If the data is in JSON format, how you will check the CSRF issue and what are the ways of exploitation? Where to implement the CSRF token and why? If the client doesn't want to change the UI or doesn't want to implement the CSRF tokens, and headers then what mitigation you recommended to the client for CSRF? What is the problem with the per-request token? Is login CSRF possible? Explain login CSRF? Have you ever exploited it? What is the mitigation for login CSRF? Suppose, in an application csrf token is implemented in each request and every request, except th...
Post a Comment
Read more