JSON Web Token (JWT)
JSON Web Token (JWT) are used to represent signed data. They are commonly used in for authentication and authorization.
The format is: <algo>.<data>.<signature>
. Each part is base64 encoded, so the final string is URL-safe while it can be easily decoded.
The data is signed using a secret key. If the secret key is compromised, everyone can sign messages π.
They can be transferred and found in:
- π Headers (
Authorization: Bearer <JWT>
) - πͺ Cookies
- π URL Parameters
- πΌ Request Body
- ...
To play around with a JWT cookie, you can use jwt.io.
You can also use jwt-tools (4.7k β):
$ cd /opt
$ sudo git clone https://github.com/ticarpi/jwt_tool
$ cd jwt_tool && pip3 install -r requirements.txt
$ sudo chmod +x /opt/jwt_tool/jwt_tool.py
$ sudo ln -s /opt/jwt_tool/jwt_tool.py /usr/bin/jwt_tool
$ jwt_tool -h
Common usages:
$ jwt_tool 'jwt' # decode
$ jwt_tool 'jwt' -T # encode
$ jwt_tool 'jwt' -T -X a # attack 'algo=none'
$ jwt_tool 'jwt' -T -X i # attack 'jwk header injection'
$ jwt_tool 'jwt' -T -p "key" # use secret key
$ jwt_tool 'jwt' -C -d /tmp/jwt.secrets.list # crack key
π A common handy wordlist is jwt-secrets.
π» To-do π»
Stuff that I found, but never read/used yet.
- PortSwigger JWT
-
hashcat -a 0 -m 16500
- Attach algo=none means signature is ignored.
- JWT, (Bearer, encrypted token), modern alternative to (apache) HTTP basic auth? (from=35). HTB/170. RFC.