# Pentesting JWT (JSON Web Tokens)

## Basic JWT Information Using JWT\_TOOL

```
python jwt_tool.py eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Imd1ZXN0XzQ1MzAiLCJpYXQiOjE3Mjk4ODYxNTR9.cCgbU50zeYpH0cUZ9ioFe9eaHqmXp6b2ffkpTJ5-zAg
```

<figure><img src="/files/lf01GQ9OIDt3rXYsXdnr" alt=""><figcaption></figcaption></figure>

## Cracking JWT-Tokens&#x20;

### JWT-Cracker to Crack JWT Token

```
jwt-cracker -t eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Imd1ZXN0XzQ1MzAiLCJpYXQiOjE3Mjk4ODYxNTR9.cCgbU50zeYpH0cUZ9ioFe9eaHqmXp6b2ffkpTJ5-zAg -d /usr/share/wordlists/rockyou.txt
```

<figure><img src="/files/eWQjQhT92q7hgUjWibNu" alt=""><figcaption></figcaption></figure>

### Hashcat to Crack JWT Tokens

we can use Hashcat on windows and Linux both to crack JWT Token, We just need to provide the hash file and the Wordlist

#### For Windows

you need to go into Hashcat folder to run this.

```
hashcat.exe C:\Users\username\Desktop\hash-file.txt C:\Users\username\Desktop\Shared\Wordlists\rockyou.txt
```

#### For Linux

```
hashcat <hashfile> <Path to Wordlist>
```

## JWT Auth Bypass via weak Signing key

If we are successfully able to crack the secret of the JWT Token then we can modify and sign the JWT token again and craft our attack

For this we can use burpsuite extensions like **JSON Web Tokens** and **JWT Editor** Both works well for this

If we use **Json Web Tokens**

<figure><img src="/files/NfPjxyXBYMpj7qdH2bfO" alt=""><figcaption></figcaption></figure>

If we use **JWT EDITOR KEYS**

you need to add a new symmetric key and specify the secret and generate the key

<figure><img src="/files/J7yVYWP7KOSS40PhiXJH" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/F7eUGmbkuTJN0t4DgIAs" alt=""><figcaption></figcaption></figure>

then go into the repeater and go into JSON Web Token and click Sign

<figure><img src="/files/mLwXHIHmsLmxw9dQpIsy" alt=""><figcaption></figcaption></figure>

Click OK and the Send the Request and it will Work.

## JWT Auth Bypass using JWK Header Injection

We can also bypass auth by using public and private key concept in JWT Tokens, to do this we can generate a new RSA Key pair, and we can inject the Public key in the Header of the JWT Token, then we can encrypt the JWT Token with Private key so in this case server will always verify the Token and we can sign the token as we want

To Perform this attack, we can use **JWT Editor Keys** Extension in BurpSuite

1. Generate a new RSA Key

<figure><img src="/files/JkInbSX6FtpMjiONPdJK" alt=""><figcaption></figcaption></figure>

2. Go to Repeater Tab and go into JSON Web Tokens and the click on Attack and Click on Embed JWK

<figure><img src="/files/98BRrcijmt6bBQWn984u" alt=""><figcaption></figcaption></figure>

3. Select the RSA key you created

<figure><img src="/files/RozSw6aKGaJXReXzkDRS" alt=""><figcaption></figcaption></figure>

4. Click OK and the attack is done, now you can Sign the JWT Token. and Perfrom the Attack.

## Algorithm Confusion Attacks in JWT Token

### When Public key is Available on the Web Server (Utilizing JWKS.JSON file)

We can start testing for Algorithm Confusion attacks by simply changing the algorithm of the jwt token into HS256 from RS256

The question is that we need to find the public key, otherwise, this attack will never work, and we will not be able to sign our JWT token&#x20;

Looking below at the image we can see that i want to create a webhook and i am having 403 forbidden, so i can try to do an Algorithm Confusion attack to get a 200 OK response.

<figure><img src="/files/42qh3kEPWk4UtD3MSm9y" alt=""><figcaption><p>Current JWT Token does not allow to create a WebHook</p></figcaption></figure>

<figure><img src="/files/XRwfJRmoCyVMkZ5d390t" alt=""><figcaption><p>We can see the algorithm that is RS256</p></figcaption></figure>

Now the Problem here is that we need to get the **Public key**, now we need to find it on the server by doing different directory Bruteforcing tools, I can use here **Feroxbuster.**

**Luckily I was able to find the Jwks.json file by doing directory Bruteforcing**

```javascript
feroxbuster -u http://webhooks-api-beta.cybermonday.htb/ -W 0,57
```

<figure><img src="/files/Lew72jGzR8TP4k0uJhD2" alt=""><figcaption><p>Found jwks file on the webserver using feroxbuster</p></figcaption></figure>

<figure><img src="/files/hr81E1JhULGoY13ApWL8" alt=""><figcaption><p>Contents of the Jwks.json file which contains the public key</p></figcaption></figure>

Now I need to convert this into a proper format and then sign the JWT token and I will change the user role to admin and let's see whether I can access the **/create/webhook** endpoint or not

for this purpose, i will be using **Python3**

{% code overflow="wrap" %}

```javascript
>>> import base64 //import the module
>>> from Crypto.PublicKey import RSA //import the module
>>> int.from_bytes(base64.b64decode("AQAB"),'big') //get in exponent form
>>> e= int.from_bytes(base64.b64decode("AQAB"),'big') // save in e variable

>>> n= int.from_bytes(base64.urlsafe_b64decode("pvezvAKCOgxwsiyV6PRJfGMul-WBYorwFIWudWKkGejMx3onUSlM8OA3PjmhFNCP_8jJ7WA2gDa8oP3N2J8zFyadnrt2Xe59FdcLXTPxbbfFC0aTGkDIOPZYJ8kR0cly0fiZiZbg4VLswYsh3Sn797IlIYr6Wqfc6ZPn1nsEhOrwO-qSD4Q24FVYeUxsn7pJ0oOWHPD-qtC5q3BR2M_SxBrxXh9vqcNBB3ZRRA0H0FDdV6Lp_8wJY7RB8eMREgSe48r3k7GlEcCLwbsyCyhngysgHsq6yJYM82BL7V8Qln42yij1BM7fCu19M1EZwR5eJ2Hg31ZsK5uShbITbRh16w=="),'big') //get in exponent form and save in variable n 

>>> RSA.construct((n,e))
RsaKey(n=21077705076198164110050345996612932810772518568443539050967722091376715840724373912088648727462840166356037836008797866810613752598694921174993091914759002593675145922598909469318911554819111261819241455997350276504601809923734199273292278943649872262588721789631926559440043091439126662856921713786579174831565901935033306650397146382742890508658151492282389201858268597532677527914866223650606412599907677018538379813464063685144477862245532615744296358390508702719361603975980307523385389095548127340792700450704825980888363887958403440479605178094454574416540689804276427673977731782835533403716740628865097430507, e=65537) // make a public key

key =RSA.construct((n,e)) // save the public key in key variable

print(key.exportKey().decode()) // print the public key



```

{% endcode %}

<figure><img src="/files/WGWljMXODtW2ipSLvDnB" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/exANFJrz1s51QnJTzjwi" alt=""><figcaption></figcaption></figure>

**I will base64 encode this public key** by saving it into a file

```javascript
 base64 public-key -w 0
```

<figure><img src="/files/Ale86bws1BciIsEof2ug" alt=""><figcaption></figcaption></figure>

now I can use this public key to sign the JWT Token and then and then I can change the account role in <https://jwt.io/> and hopefully I will be able to access the webhook page.

<figure><img src="/files/qgpcUkMnN92HWoz8coXA" alt=""><figcaption></figcaption></figure>

Finally, it worked I am not getting 403 error anymore which means I have successfully done an Algorithm Confusion attack.

<figure><img src="/files/QE16djEiWoRDuIjFI4uR" alt=""><figcaption><p>Successfully completed the algoritm confusion attack </p></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.programmersecurity.com/web-pentesting-stuff/pentesting-port-80-443/pentesting-jwt-json-web-tokens.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.