JWT or JSON web tokens are widely used these days for authorization purposes so it pays off to learn about what JWT’s entail and how we can abuse them. In essence, it all may seem simple but simplicity is often the killer of good judgment and the devil is in the details. Let’s explore this wonderful way of authorising users and you will soon see that JWT attacks are an essential tool in any hackers toolbelt.
To analyze, debug and play with JWT tokens in general, we can write our own very simply JWT encoder and decoder in python (https://pyjwt.readthedocs.io/en/stable/) but it’s still easier to simply use a WebClient and that is where JWT.io comes into play.
A visit to the website shows us an example of JWT. This allows us to see that it’s nothing more than a combination of JSON strings in an encoded form.
The structure is always as follows: “header.body.key”
It all starts with the header which is used to describe what encryption algorithm is being used. Several popular options exist and most of them require a key as well.
The body of a JWT usually describes certain properties of a user, for example, the location of a user which might authorize them to access geo-locked content. This can be anything and usually contains some juicy information we might want to change to test the authorization module.
The last part of the JWT is the key and this is the most important part because if you get this wrong, the server will never accept your JWT but if you are able to get the key and encode the value that is equally a very bad problem.
One very common exploit that is slowly going away thankfully is when the server accepts JWT tokens with the header that indicated the use of no key. This will allow us to easily forge any token we want.
Sometimes, user controlled values end up in a JWT token. This should never ever be the case but since some application abuse JWT tokens for authentication rather than authorization, we can still play with the contents of the JWT by changing the username to something that interrupts the current JWT structure and insert our own. This means we might be able to change values and make ourselves admin or even login as other users if the system is built in a bad way.
i.e.