Skip to content

On JSON Web Token (JWT)

This post is my reflection of watching this video “JWT Parkour” and doing a few JWT exercises in Pentesterlab.

How does a JSON Web Token (JWT) looks like?

Base64(Header).Base64(Payload).Signature

As a developer, you will need to select the stronger algorithm for your use case (usually at least HS-256 or RSA-256). And how the signature verification is performed will depend on the algorithm that you have chosen.

Weak key can potentially expose secrets and allows attackers to sign their own token

When using HS-256, remember that the secret in JWT can be cracked if the key is too weak. The developer has to make sure that the key is at least 256 bits to withstand brute force attacks.

https://security.stackexchange.com/questions/95972/what-are-requirements-for-hmac-secret-key

Signature needs to be checked or else signing the {algorithm}.{payload} is pointless

In short, the signature needs to be verified with the algorithm and payload. Try to use the reliable JWT libraries in your language as this is simpler way. If there are no verification, it will bring many issues like privilege escalation if you perform access control in the payload. Or even an Insecure Direct Object Reference (IDOR) because you can change the user id or account name to someone else. Don’t let this happen.

References:
https://www.youtube.com/watch?v=zWVRHK3ykfo
https://jwt.io/
https://www.sjoerdlangkemper.nl/2016/09/28/attacking-jwt-authentication/
https://github.com/brendan-rius/c-jwt-cracker/blob/master/main.c
https://github.com/ojensen5115/jwtcrack/blob/master/src/main.rs

Published inWeb Security

Be First to Comment

Leave a Reply

Your email address will not be published.