AppSec Tales VIII | JWT - Pentestmag

AppSec Tales VIII | JWT

AppSec Tales VIII | JWT

by Karol Mazurek


Application Security Testing of the JWT guidelines.

INTRODUCTION

This is the eighth article in the AppSec series, which describes how to test the JSON Web Tokens. The advice in this article is based on:

  • OWASP Web Security Testing Guide
  • OWASP Application Security Verification Standard
  • NIST recommendations
  • Bug bounty reports
  • Portswigger Academy
  • Own experience.

I will provide a short test sample, a potential impact or an attack scenario, and a possible solution to the problem at each point.

TOOLING

Before starting work, download and always update the tools.

BURP SUITE

Upgrade Burp Suite with the following extensions:

Source: https://github.com/portswigger/json-web-tokens
Source: https://github.com/portswigger/json-web-token-attacker
Source: https://github.com/portswigger/jwt-editor

At the moment, the JWT heartbreaker extension is not in Bapp Store.
You have to download it from the link and manually add it:

Source: Own study — Adding JWT heartbreaker manually to the Burp Suite extensions.

Additionally, you can use your own URLs for wordlists to use by the JWT heartbreaker automatic scanning (cracking):

Source: Own study —Adding additional wordlists to use by the JWT heartbreaker automatic scan.

JWT_TOOL

Download The JSON Web Token Toolkit v2 and install its dependencies:

git clone https://github.com/ticarpi/jwt_tool
python3 -m pip install termcolor cprint pycryptodomex requests
Source: https://github.com/ticarpi/jwt_tool#the-json-web-token-toolkit-v2

Run the tool once and configure the Collaborator inside the jwtconf.ini :

python3 jwt_tool.py
vi "$HOME/.jwt_tool/jwtconf.ini"
Source: Own study — adding a custom HTTP listener for the JWT_TOOL.

WORDLIST

Download the below wordlist, it will be used for brute-forcing signing key:

DOCKER IMAGE — portswigger/sig2n

The simplified version of the rsa_sig2n tool used for deriving the key from a pair of existing JWTs.

docker pull portswigger/sig2n

GUIDELINES

I. INFORMATION LEAK

Review the JWT payload for sensitive data.

  • The risk results from the information that is sent.
  • The sensitive information can facilitate the attacker gaining access to forbidden places in the application.
Source: Own study — Checking information leak inside the JWT payload using JWT4B.

The sensitive data should be encrypted.
Base64 encoding used in JWT is not a form of data encryption.

II. BRUTEFORCIBLE SECRET

Brute-force the signing key [HS256, HS384, HS512].

  • The attacker can forge his own JWT tokens and sign the data using the cracked secret.
Source: Own study — Cracking JWT secret using hashcat.
Source: Own study — Example of three attack methods for cracking JWT.
Source: Own study — The result of the JWT heartbreaker automatic scan using publicly disclosed secrets.
Source: Own study — Generating a new Symmetric key for signing the token (4-base64 encoded secret).
Source: Own study — Tampering and signing the token.

Secret should be never disclosed in any public source and generated using Cryptographically Secure Pseudo-Random Number Generators.

III. MISCONFIGURED SIGNATURE VERIFICATION — MANUAL

Check the JWT signature validation manually.

  • The attacker can forge JWT tokens.

Although the JWT_TOOL will thoroughly test the SIGNATURE VERIFICATION, it is important to manually check the errors disclosed by the applications.

Source: Own study — Checking the misconfigured signature verification manually.
MAYCAQACAQA

Verify the JWT signature before its decoding.

IV. MISCONFIGURED SIGNATURE VERIFICATION — AUTOMATIC

Check the JWT signature validation using JWT_TOOL.

  • The attacker can forge his own JWT tokens.
Source: Own study — Checking the misconfigured signature verification automatically.

Verify the JWT signature before its decoding.

V. BROKEN TOKEN INVALIDATION

Reuse the expired token.

  • If the attacker somehow leaks the token, he can gain access to the application unauthorized.
Source: Own study — Testing the broken token invalidation.
Source: Own study —JWT_TOOL all scan also informs you when the token will expire.

Always set an expiration date for any tokens that you issue.
Expired tokens should not be accepted by the API.

VI. RS–2-HS ALGORITHM CONFUSION ATTACK

Swap the algorithm from RS to HS and use a valid public key for signing.

  • The attacker can forge his own JWT tokens if he has access to the public key from the Application.
Source: Own study — Changing asymmetric algorithm to symmetric and signing the JWT with a valid public key.
Source: Own study — Copying the public key from the disclosed JWK Set.
Source: Own study — Converting the key to PEM format (3 — paste the key from disclosed JWK Set).
Source: Own study —Creating a new Symmetric key, which can be used for the algorithm confusion attack.
Source: Own study — Extracting the public key from two JWTs and creating a valid public key for signing.

Source: PortSwigger Academy lab — JWT authentication bypass via algorithm confusion with no exposed key.
Source: Own study — Generating new Symmetric key using the brute-forced value.

Validate the “alg” value.
Do not accept algorithms other than RS while using it.

VII. KID ARBITRARY FILE VERIFICATION

Use arbitrary file in place of kid value.

  • The attacker can forge JWT tokens.
Source: Own study — Exploiting the kid header path traversal.
Source: Own study — Generating a new symmetric key with JWT Editor Keys.
Source: Own study — Tampering the JWT payload and signing it with a generated key.

Ensure only properly formed data is entering the workflow.

VIII. JWK HEADER INJECTION

Inject self-signed JWT via the JWK parameter.

  • The attacker can forge JWT tokens.
Source: Own study — Generating new RSA Key.

Source: Own study — Embedded JWK attack using Burp Suite Json Web Token request tab.

Do not accept arbitrary parameters in the JWT header.
Do not accept arbitrary values for parameters in the JWT header.

IX. JKU HEADER INJECTION

Inject self-signed JWT via the JKU parameter.

  • The attacker can forge JWT tokens.

Source: Own study — Testing JKU header injection (jku_attack.json).

Source: Own study — Testing JKU header injection.

Enforce a strict whitelist of permitted hosts for the jku header.

X. X5U HEADER INJECTION

Inject self-signed JWT via the X5U parameter.

  • The attacker can forge JWT tokens.
openssl req -newkey rsa:2048 -nodes -keyout private.pem -x509 -days 365 -out x5u_attack.crt -subj "/C=PL/L=WARSAW/O=AFINE/CN=KARMAZ95"
Source: Own study — Exploiting X5U header injection JWT.IO

XI. CTY HEADER INJECTION — JAVA DESERIALIZATION

Inject the CTY parameter in the JWT header, and JAVA serialized payload.

  • The attacker could gain remote command execution.
Source: Own study — Testing CTY header injection with JAVA deserialization payload.

Do not accept arbitrary parameters in the JWT header.
Do not accept arbitrary values for parameters in the JWT header.

XII. CTY HEADER INJECTION — XXE

Inject the CTY parameter in the JWT header and XXE payloads.

  • An attacker could gain remote code execution, read server files or conduct a Denial of a Service attack.
XXE PAYLOAD WORDLIST 1PortSwigger
XXE PAYLOAD WORDLIST 2Payload All The Things
Source: Own study — Testing CTY header injection with XXE payloads.

Do not accept arbitrary parameters in the JWT header.
Do not accept arbitrary values for parameters in the JWT header.

XIII. CLIENT-SIDE JWT GENERATION

Check where the token is created in your proxy’s request history.

  • If the JWT was first seen coming from the client side, the attacker could find the secret key in the client-side code and forge tokens.
Source: Own study — JWT added by the cline-side code during singing.

JWT should be created on the server-side.

XIV. JWT OVER AN UNENCRYPTED CHANNEL

Check if data is transferred via HTTP or as a parameter in the URL.

  • Sensitive data may be logged by the browser, the web server, and forward or reverse proxy servers between the two endpoints.
  • It could also be displayed on-screen, bookmarked, or emailed around by users.
  • When any off-site links are followed, they may be disclosed to third parties via the Referer header.
Source: Own study — Example of JWT token transmitted in the path using HTTP.

Avoid sending tokens in URL parameters where possible.
Use encrypted channels.

XV. WEAK JWT SIGNATURE ENTROPY

Check the entropy of the JWT signature.

  • The attacker could exploit the signature crypto issues, allowing forging JWTs with his own payload.
Source: Own study — Testing the entropy of JWT signatures.
You can use SID_collector.py template to automate this task.
Source: Own study — Loading all tokens from the file into Burp Sequencer.

Do not use custom crypto.
The option with the best security and performance is EdDSA.
Alternatively ES256 (ECDSA) using P-256 and SHA-256.
The option supported by most technology stacks is RS256.
Using symmetric keys is not recommended.

XVI. FUZZING JWT

Conduct the input validation testing in all JWT fields.

  • The impact depends on the type of vulnerability detected.
  • It can be a critical vulnerability of the type of SQLi, or Remote Code Execution, but also low, such as HTML injections.
  • It all depends on the vulnerability type and the context.
payloads.txt - comprehensive wordlist for fuzzing.

Some payloads send the ICMP packets or TCP packets on port 80 when the payloads are triggered (if the potential vulnerabilities were found).

You need to start two listeners on your VPS to make them work:

Source: Own study — Starting the ICMP sniffer.
Source: Own study — Starting the HTTP server on port 80.

Replace vps_ip — with the IP address of your VPS:

sed -i "s/vps_ip/IPADDRESS/g" payloads.txt

Replace domain_collab — with Burp Collaborator:

sed -i "s/domain_collab/YOUR_COLLAB/g" payloads.txt
]Source: Own study — JWT fuzzing guide.
Source: Own study — Encoded payload injected in a JWT HEADER | PAYLOAD | SIGNATURE using Intruder.

Check the Input Validation Cheat Sheet from OWASP.
Make sure that you are not vulnerable to any input flaws via any JWT part.

FINAL WORDS

Testing any element of a Web Application is like sailing the open ocean.
Treat the WSTG like the compass and the ASVS like azimuth.

However, do not forget that someone had to invent it. Therefore you always have to look for new ways that you will not find in the WSTG or here, but you have to find them yourself.

Nevertheless, I hope you will find this article useful and keep coming back to it. I also encourage you to comment if you have an idea for a point for this article or if you find any bugs here ;]


Originally posted at: https://karol-mazurek95.medium.com/appsec-tales-viii-jwt-7e28b8fc0dd2

October 3, 2022
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013