10 ways to exploit JWT (JSON Web Token):

7 min readJul 14, 2023

بسم الله الرحمن الرحيم

Introduction:

JWT (JSON Web Token) is a compact, representing claims to be transferred between two parties. JWT is used to securely transmit information between parties as a JSON object. It is primarily used to authenticate users and secure web applications.

In a typical scenario, after a user login to a web application, the server generates a JWT containing the user’s identity and other relevant information. This JWT is sent to the client, where it is stored in a cookie or local storage. The client then includes the JWT in subsequent requests to the server, allowing the server to authenticate the request and authorize access to protected resources.

JWTs consist of three parts:

1- Header: contains information about the type of token and the algorithm used to sign it.

2- Payload: contains the actual claims being made, such as the user’s identity, roles, and permissions.

3- Signature: is used to verify the authenticity of the token and ensure that it has not been tampered with.

How to exploit JWT?

First of all, You need to know what data is being sent in the JWT (baseline analysis) because JWT tokens contain a payload that includes information about the user, such as their username and role. An attacker may try to tamper with the payload to change the user’s role, try to get the highest privileges or inject malicious data into the token payload.

To check the data in your JWT:

#jwt_tool <JWT_Token>
# jwt_tool eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ik11c2FiIEFsaGFyYW55Iiwicm9sZSI6InVzZXIiLCJpYXQiOjE2ODc3MjI4NDl9.X3tG7w5QvFJ5eIetPnG8ECyM4l2E7pBcC_j9iZWY7Qg

To check and modify the data:

https://jwt.io/

Change the user role from user to admin

Then you can try your new JWT token.

The ways are:

1- Crack the token password: the server knows if the token is true or forged based on the signature of the data carried after it is encrypted with the encryption algorithm and the key, if you can crack the password/key you can send any data to the server and impersonate any user in the system.

This cracking process is an offline; there is no need to interact with the server.

Simple command to crack JWT password:

# jwt_tool <JWT_Token> -C -d passwordList.txt
# jwt_tool eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ik11c2FiIEFsaGFyYW55Iiwicm9sZSI6InVzZXIiLCJpYXQiOjE2ODc3MjI4NDl9.X3tG7w5QvFJ5eIetPnG8ECyM4l2E7pBcC_j9iZWY7Qg -C -d /usr/share/wordlists/rockyou.txt

-C, — crack crack key for an HMAC-SHA token

-d DICT, — dict DICT dictionary file for cracking

To see this exploit, you can watch the below video on my YouTube channel:

https://www.youtube.com/watch?v=0xtr8911IDQ

2- Null signature attack: try to delete the signature part, and your token will look like :

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ik11c2FiIEFsaGFyYW55Iiwicm9sZSI6InVzZXIiLCJpYXQiOjE2ODc3MjI4NDl9.

Command:

$ jwt_tool <JWT_Token> -X n

3- None Attack: try to set the algorithm header field to “none”, then encode the header using base64-encoding, and delete the signature part then send it to the server. If you lucky this will lead to bypassing the signature check, so you didn’t need to crack the password.

$ jwt_tool <JWT_Token> -X a
$ jwt_tool eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ik11c2FiIEFsaGFyYW55Iiwicm9sZSI6InVzZXIiLCJpYXQiOjE2ODc3MjI4NDl9.X3tG7w5QvFJ5eIetPnG8ECyM4l2E7pBcC_j9iZWY7Qg -X a

4- Blank password: generate signature with algorithm and blank password:

#jwt_tool <JWT_Token> -X b

5 — Playbook Scan: Try to manipulate all the contents of the token to scan for common JWT vulnerabilities.
you can automate your test by this command:

#jwt_tool -t http://example.com -rh “Authorization: Bearer <JWT_Token>” -M pb

6- Key-Confusion attack: if the server uses any asymmetric Algorithm like RH256 this means you need both the server’s private key and a public key in order to accurately hash the JWT signature, Meanwhile, HS256 is symmetric encryption, so only one key is used for both the signature and verification of the token. If you can discover and obtain the server’s RS256 public key, then switch the algorithm from RS256 to HS256, there is a chance you may be able to leverage the RS256 public key as the HS256 key. You will need to save the captured public key as a file on your attacking machine (You can simulate this attack by taking any public key and saving it as public-key-pem).

Command:

#jwt_tool <JWT_Token> -X k -pk < public-key-pem >

7- bypass JWT Authentication by X-HTTP-Method-Override header: The X-HTTP-Method-Override header is used to use HTTP methods (verbs) in old web browsers that just support (GET,POST) methods, also it’s used to pass any HTTP methods to the server that is behind aggressive firewalls that block traffic that is not either an HTTP GET or POST request.

You can add the header with a value of any HTTP methods (POST, PUT, PATCH, DELETE, UPDATE, GET) when invoking Web API using an HTTP POST call. You can then have a delegating handler intercept the HTTP method to be invoked and take the appropriate actions.

This trick works in most of the API Penetration Tests as it is used to bypass JWT in the ESPv2 (CVE-2023–30845)

https://nvd.nist.gov/vuln/detail/CVE-2023-30845

For example:

in this request the end-point use POST method

Try to change method to PUT

We get 500 status code (Internal Server Error)

Try to use POST method with X-HTTP-Method-Override header and set ‘PUT’ as a value

Despite of we used the POST method, the server’s response with 500 status code as we did with the PUT method, this means the server ignore the main method (POST), and use the method in the X-HTTP-Method-Override header (PUT).

8- Tampering with token payloads: at the token payload you can replace the normal value with crafted data containing any type of injection payloads like SQL injection, XSS ,SSTI ..etc.

9- Token Replay Attacks: reuse the old token or use the token after logout or after changing the password or e-mail, because if the JWT token is not invalidated or refreshed the attacker may be able to use the token to continue to access the system as the logged-in user.

10- Token stealing: If an attacker gains access to a user’s JWT token, they can use it to impersonate the user and access the system. This can happen if the token is transmitted over an insecure channel, such as an unencrypted HTTP connection, or if the token is stored insecurely on the client side.

How to Secure JWT:

1. Use an encrypted channel (HTTPS): JWTs are transmitted as HTTP headers or in the request body, so transmitting them over HTTPS ensures that the tokens are encrypted in transit.

2. Use strong keys: JWTs are signed using a secret key, so it’s important to use a strong key that is kept secret and not easily guessable. Consider using a key length of at least 256 bits.

3. Use any asymmetric Algorithm and check it: to prevent Key Confusion attack you must use asymmetric Algorithms rather than symmetric algorithms.

4. Implement proper token expiration: JWTs should have a limited lifespan to prevent them from being used indefinitely. Consider setting a short token expiration time, and implementing a token refresh mechanism.

5. Implement proper token revocation: If a JWT is compromised or stolen, it’s important to have a mechanism for revoking the token.

6. Implement proper token validation: When receiving a JWT, it’s important to validate the token to ensure that it hasn’t been tampered with or issued by an unauthorized party. This includes checking the token signature, issuer, audience, and expiration.

7. Implementing input validation: to prevent Tampering with token payloads attack, you must check the data in the token payload maybe it was changed and included some malicious payload.

8. Do not include sensitive data in the token: While JWTs can be used to transmit information, it’s important to not include sensitive data in the token itself. Instead, consider transmitting sensitive data over a secure channel or using encryption.

9. Regular security audits and testing: can also help to identify vulnerabilities and address them before they can be exploited by attackers.