JWT Hacking 101

Brute Force Secret

这个容易被忽略。建议用强大的CPU爆破。

None Algorithm

将alg从HS256改为none.
可使用json-web-tokens

RSA vs HMAC

JWT支持以下alg

“alg” Param Value  Digital Signature or MAC Algorithm  Implementation Requirements 
HS256 HMAC using SHA-256 Required
HS384 HMAC using SHA-384 Optional
HS512 HMAC using SHA-512 Optional
RS256 RSASSA-PKCS1-v1_5 using SHA-256 Recommended
RS384 RSASSA-PKCS1-v1_5 using SHA-384 Optional
RS512 RSASSA-PKCS1-v1_5 using SHA-512 Optional
ES256 ECDSA using P-256 and SHA-256 Recommended
ES384 ECDSA using P-384 and SHA-384 Optional
ES512 ECDSA using P-521 and SHA-512 Optional
PS256 RSASSA-PSS using SHA-256 and MGF1 with SHA-256 Optional
PS384 RSASSA-PSS using SHA-384 and MGF1 with SHA-384 Optional
PS512 RSASSA-PSS using SHA-512 and MGF1 with SHA-512 Optional
none No digital signature or MAC performed Required

In an RSA algorithm implementation of JWTs, private keys are typically used by the server to sign the payload, and clients can verify the JWT using the public key.


...
If a server’s code is expecting a token with “alg” set to RSA, but receives a token with “alg” is set to HMAC, it may inadvertently use the public key as the HMAC symmetric key when verifying the signature.

由于public key很多时候都是对外可知, 于是我们就可以用已知的public key sign 我们想要的payload.

json-web-token-attacker 可以帮到你。

至于如何获得public key, 可以看看它的certificate, 或者mobile app有无包含。

openssl s_client -connect target-server.com:443 | openssl x509 -pubkey -noout

Open Redirect

看看能否控制user authenticate之后的redirect URL, 会否把JWT给泄漏了。

Harded Coded HMAC Keys

看看JWT是在client side构造,还是从服务器中返回。

Ref

JWT Hacking 101 - TrustFoundry

Show Comments