Pentesting JWT: It is essential to understand


 What is JWT ?

JWT stands for JSON Web Token, an open standard designed for securely sharing information between a client and a server. Each JWT consists of encoded JSON objects that contain a set of claims. These tokens are signed using a cryptographic algorithm to ensure the integrity of the claims, preventing any alterations after the token has been issued.

Know more about Pentesting JWT

Structure of JWT?

JWT Token consists of : HEADER, PAYLOAD, SIGNATURE

HEADER: The Header consists of “Type” and “algorithm” TYPE denotes the token which is “JWT” and the signing algorithm being used, such as HMAC SHA256 or RSA

PAYLOAD: The payload consists of claims (claims are statements).

The types of claims are as follows:-

Registered: Registered claims are predefined and recommended for use, though they are not mandatory. These claims help provide a set of useful and interoperable information. Examples include iss (issuer), exp (expiration time), sub (subject), and aud (audience).

Public: Public claims are custom claims meant for public consumption and should be collision-resistant. These claims may include generic information, such as the user’s name and email address.

Private: These are the custom claims created to share information between parties that agree on using them and are neither registered or public claims.

Protect Your Business with Cutting-Edge Cybersecurity Services — Safeguard Your Data 24/7!

SIGNATURE: The Signature of a JWT contains its cryptographic signature, composed of the base64 URL-encoded header and payload segments.

Pen-testing JWT (JSON WEB TOKENS)

Algorithm to None : As JWT supports none algorithm. An attacker can tamper the alg with ‘none’ and login as a legitimate user.

STEPS : Acquire the JWT Token and change the alg to none.

{

“alg” : “none”,

“typ” : “JWT”

}

{

“user” : “Admin”

}

Mitigation :It’s possible to acquire a JWT token and alter the algorithm to none. However, using the none algorithm is highly discouraged in production environments.

RS256 to HS256 : When an application utilizes the RS256 algorithm, it uses a private key for signing the token and a public key for verifying it. An attacker might exploit this by creating an HS256 token and signing it with the public key.

STEPS : It’s possible to acquire a JWT token and alter the algorithm to none. However, using the none algorithm is highly discouraged in production environments.

openssl s_client -connect target.com:443 2>&1 < /dev/null | sed -n ‘/ — –BEGIN/,/ — –END/p’ > certificatechain.pem

openssl x509 -pubkey -in certificatechain.pem -noout > pubkey.pem

Now we can create the own HS256 Token by using JOSEPH Burp extension.

Mitigation : It’s advisable not to trust HS256 when RS256 is used.

No Signature Verification : In some cases, an application may fail to validate the signature of a JWT. This vulnerability allows an attacker to bypass the security mechanisms.

STEPS : An attacker can get into victims account by removing the signature part from the JWT Token

{

“alg” : “HS256”,

“typ” : “JWT”

}

{

“user” : “Admin”

}

Mitigation : It is recommended to validate the signature.

How to prevent JWT attacks ?

Use strong encryption for the payload : To protect the payload, it is recommended to use strong encryption algorithms, such as AES or RSA. This ensures that even if an attacker intercepts the JWT, they cannot read the payload without the appropriate encryption key.

Use secure signature algorithms : Using secure signature algorithms, such as RSA or ECDSA, is crucial in ensuring the integrity and authenticity of the JWT. It is also important to use a strong secret key to prevent brute force attacks on the signature.

Implement proper token management : Proper token management is essential for preventing JWT-related security issues. Tokens should be securely stored, regularly refreshed, and revoked when necessary to prevent unauthorized access. For instance, tokens should be revoked if a user logs out, changes their password, or if there is a suspected security breach.

Validate the JWT on the server-side : It is important to validate the JWT on the server-side to prevent tampering with the payload. This can be achieved by checking the signature, expiration time, and other relevant information before granting access to sensitive information.

Comments

Post a Comment

Popular posts from this blog

Clickjacking Attack Explained: Prevention, Examples, and Proven Fixes-

Image
  Clickjacking: Understanding the Threat and How to Prevent It Clickjacking, also called UI redressing, is a type of web security threat that exploits user trust by tricking them into clicking on a hidden or disguised website element. While it may sound minor, the reality is far more dangerous. Clickjacking can lead to serious consequences such as data theft, unauthorized financial transactions, and even system compromise. What Is Clickjacking? Clickjacking is a malicious technique where an attacker manipulates a user into clicking on a hidden or misleading element on a website. The term “clickjacking” is a combination of “click” and “hijacking,” accurately describing how the attacker takes control of a user’s actions without their knowledge. By overlaying an invisible or disguised button over a legitimate one, users may think they are performing a safe action but are triggering something harmful, like sharing sensitive data or performing unauthorized tasks. This kind of ...
Read more

CVE 2024 11477: Critical 7-Zip Exploit Revealed

Image
  What is CVE-2024- 11477? CVE-2024-11477 is a recently identified security vulnerability in 7-Zip, the renowned file compression utility celebrated for its compatibility with diverse file formats like ZIP, RAR, and TAR. This vulnerability exposes users to potential remote attacks, where malicious actors can exploit specially crafted archive files to execute arbitrary code, severely compromising affected systems. With a CVSS score of 7.8, CVE-2024-11477 underscores the seriousness of this flaw and its potential to disrupt millions of users worldwide. This blog explores the vulnerability, the affected platforms, the risks it poses, and actionable steps to mitigate it.     Learn about Cybersecurity Services by Bornsec for comprehensive protection against vulnerabilities.     How CVE-2024-11477 Impacts Users CVE-2024-11477 directly impacts 7-Zip users across a wide range of ...
Read more

AI Cybersecurity Threats 2024 | Dark Side of Technology

Image
  Artificial Intelligence (AI) has revolutionized various sectors, and cybersecurity is no exception. However, while AI brings advanced solutions to combat cyber threats, it also arms malicious actors with sophisticated tools to exploit vulnerabilities. This blog delves into the emerging AI cybersecurity threats, real-world examples, and effective countermeasures to navigate these challenges in 2024. Visit https://bornsec.com/ai-cybersecurity-threats-2024/ to discover more. The Dual Role of AI in Cybersecurity AI in Cyber Security is a double-edged sword. On one side, AI-powered tools like predictive analytics, anomaly detection, and automated threat mitigation enhance security defenses. On the other, the misuse of AI by cybercriminals is leading to new generative AI security risks and attack methodologies that are challenging to counter. Protect Your Business with AI-Driven Cybersecurity Solutions at  Bornsec. 1. AI-Powered Cyber Attacks: Examples and R...
Read more