Hack JWT using JSON Web Tokens Attacker BurpSuite extensions

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello everyone welcome to the hackerish youtube channel where all the content is about computer hacking designed to make you a better ethical hacker to this new episode of burp suit extensions where we go through each one of them by popularity in the previous video we discovered g2e scan and we found how we can use it to test java web applications and find things from simple information disclosure to remote code execution but i assume that you're here because you're interested in json web tokens that would be the subject of this video so let's get started so first of all let's install it as you can see it's not installed yet scroll down and then hit install straight away you should see a new tab which says json web tokens for those of you who don't know what jwt are well they are kind of a session but the cool thing about it is that the backend can verify if it has been tampered with along the way using what's called signatures that's jwt in a nutshell to help you understand more let's go to the web code web application and then broken authentication and we have a dedicated section for jwt tokens click on that and you should have pretty much all what you need to know to get you started web goat is a really great web application if you want to learn web application hacking and i use it as part of the oauth top 10 training series where you get to discover understand both the theory and the practicals about the 10 most famous web application vulnerabilities i highly encourage you give it a try if you want to get started in web application hacking for the purpose of this video we're going to focus on jwt tokens in the second page on web code you get to understand the structure of a jwt token and as you can see in this picture it com it's comprised of three main elements the first one is the header which typically indicates what are the metadata about this token like what are algorithm being used for signature what is the type of this jwt token the second part is the claims you can find all the things to maintain in a session with the user so in this case we have an attribute called username an expiration timestamp the scope maybe the roles of that user etc and the latest part is the signature which takes the first part the second part and then applies whatever algorithm it is defined in the header part notice that i'm going back and forth between the this structure here and the json format and that's because if you take the first header this json object and base64 encode it you should see something similar to this and so on and so forth for the other parts typically when you authenticate yourself to a web application you receive this kind of token and then you need to send it in all the subsequent requests much like a cookie but in this case you have the possibility as a web developer to verify the signature and reject the token if it has been modified now jwt tokens are known for some classic attacks so that's why we're going to give this challenge a try so we have a voting system right and if i log in as jerry i can see the votes i can vote but unfortunately i can't delete or reset the votes and it's clearly mentioned here that only an admin user can reset the votes so let's see how this feature actually works if we proxy our requests through pub suit using foxy proxy again if you don't know what foxy proxy is or what is burp suit or what is web code or how to configure all of this make sure you visit the wasp top 10 playlist that i mentioned earlier i'm assuming you already know that let's click on this item and let's vote or maybe try to reset the votes well you can see that straight away on burp suit i have some requests what i'm interested in is how to reset the votes so as you can see we have this post request which uses what seems to be a jwt token and you can easily recognize it from these three parts of base64 encoded data so how can we attack this well remember that we've installed json web tokens so we can first try to decode this so what we can do is just select this text right here and then right click and then send selected text to json web tokens tab to decode and right away you can see what this jwt token holds specifically in the claims part which contains an interesting attributes called admin and it's set to false so i wonder if we change this to true what would happen but remember that jwt tokens are signed as we know so far so how can we go about attacking this jwt are still valid if they don't contain the signature and that means that if the backend server doesn't validate the signature we can just remove it so let's take it one step at a time the first thing we need to do is change the algorithm to something that is standardized in jwt which is called none just to say that i don't need a signature for my jwt token so let's select once again the jwt token but this time just the first part and then send it to the decoder which is a tool that simply just performs encoding decoding and hashing operations so let's decode this as we know it's space 64 and from here what we gonna do is just change this to none and then re-encode it to base64 copy it over to our request let's first send it to the repeater and paste it here just like that let's take the second part the claims right click send it to the decoder decode as base 64. we have some limitations here so we're just going to manually format this to have a valid json and then change this to true coded space 64 copy it over to our request paste it and what we need to do now is just get rid of the signature so if we cross our fingers and send the request maybe the back-end server doesn't properly handle jwts and blindly accepts jwt tokens which are not signed so drumrolls let's send and it says that it's not a valid jwt token please try again that's odd let's just encode it using command u to encode the special characters in this case equals to be properly handled by the backend in this case equals would be transformed to percent 3d so if we send this we get a congratulations and if we refresh the page we shall see that the votes have been reset so the workflow as you saw is just whenever you see a request which contains a jwt token automatically you will get a new tab here appearing that's one of the things that json web tokens burp extension does so this gives you an idea a hint that this request contains jwt token if you click on it you get it decoded without any effort and furthermore you can copy it and send it to the new tab which gives you basically the same results another thing that json web token does is verify the signature based on the key if i type something random i immediately get a red button so behind the scenes what this extension does is calculate the signature based on algorithm and my secret key i already know what the secret key is which is victory how did i find it well using white box testing always look through the code if you have the chance to but i don't think it's really useful apart from this tab there are other more interesting jwt related extensions and let's try to find them by name i think it's jason webb token attacker if everything goes well we should see that we have a new tab called joseph if anyone is named joseph who is watching this video hi so if we redo the same thing once more let's use user tom this time and maybe try to trigger a vote reset let's see what happens here so apparently you are starting to see something interesting this extension josef or json web application or json web token attacker automatically highlights whenever a request contains a jwt token now if i go to preferences i can instruct josef to detect whether the request contains a jwt token based on the name of the parameter in this case because we had access token and the cookie access token contained actually the jwt token this extension was able to highlight those requests on top of that it uses the same let's say feature that json web tokens extension provides which is this tab here but this time it's spreading the three parts of a jwt token into a separate tab so we have the header the payload and the signature so if we right click on this we see that we can't send it to joseph which is a bummer but looking around i found that we can send this request to the repeater and from here if we right click we see that this is activated so now we can send it to joseph if we click however and go i don't see anything related to my token the algorithm has been picked up but nothing else but the cool thing about this extension is you can use built-in attacks like key confusion or signature exclusion so this attack is the same one that we've used to reset the votes so it used to work like this you select your attack you load it and then you click on attack and this extension would automatically replace the algorithm with none and then send the updated jwt token to the web application and it records their results simply but here i don't see any results any requests so i guess the author has to maybe update it but if i select my jwt token copy it and use josef manual tab i can input my json web token here hit load and it will give me the attacks that i can perform if i choose a signaturing exclusion for example and hit load you can see the same attack that we've seen before which is algorithm on in this case we have some variations of the word none to bypass any restrictions imposed by the back end if we choose the first one and hit update you can see that we have the new jwt token let me give you another tool that we can use to decode jwt tokens and that's jwt dot io now i don't really encourage you to use online tools never ever paste in a production jwt token into a randomware web page to decode it that would be risky because you don't know what the application is doing with it so if i paste it you can see that indeed the algorithm has been changed to none and we don't have any signature obviously the problem though is that you need to change this to true so that makes it a bit unpractical from an attacking perspective but you can still use that to verify if the backend is accepting this token or not at the first place so if i paste that and send the request i should have something telling me that the jwt token is not supported it's not valid it's corrupted or something like this but here i get the same result as before which means that maybe the web application is not performing signature validation at this moment i can go further copy this to the decoder and do the manual work as we've seen before apart from that you can use josef to decode a jwt token much like we saw with json web tokens so if i maybe take this one copy it and paste it here let's decode i need to paste it here and then hit decode you can see that we have the first part the second part and the third part is just the signature which is normal to have this uh random bytes i don't think that i know any other burp extension which deals with json web tokens i would be very happy if you can provide some extensions that you think i should include i will include them in a future video also let me know how you use those extensions and if they are helpful in your web application hacking process if you found this content helpful make sure to like comment and subscribe to this channel so that you get updates whenever i publish a new video on ethical hacking and bug bounty hunting if you're new to hacking and want to learn the basics check out the free oas top 10 theory and hands-on training on the hackerish.com and apply your knowledge on the lab which supports it if you enjoy learning with videos i invite you to watch the awasp.10 youtube playlist however i encourage you to first try to solve the lab exercises so that you don't spoil them don't forget that there are supporting blog posts for most of the videos you watch on this youtube channel i also encourage you to subscribe to the friday newsletter on the hackerish.com to gain some new hacking knowledge at the end of the week if you enjoy listening while doing other things at the same time check out the hack for fun and profit podcast link in the description box until next time stay curious keep learning and go find some bugs
Info
Channel: thehackerish
Views: 16,435
Rating: undefined out of 5
Keywords: infosec, cybersecurity, bug bounty, burpsuite, burpsuite extensions, burp suite pro, hacking, web application, appsec, computer security, ethical hacking, pentest, penetration testing, java, JWT, json web token
Id: SuDN35-aefY
Channel Id: undefined
Length: 17min 23sec (1043 seconds)
Published: Thu Nov 12 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.