# JWT tokens attack

### JWT 

JWT stands for JSON Web Token, JWTs are commonly used in authentication systems. When a user logs in, they receive a JWT as part of the authentication process. This token can be sent with each subsequent request to the server to verify the user's identity and permissions without needing to resend credentials. The server can decode the JWT and verify its signature to ensure its integrity.

### JWT Structure

JWT Consists of three parts a header, a payload and a signature each part separated by a dot, for example :

<mark style="color:red;">`eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9`</mark>`.`<mark style="color:orange;">`eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ`</mark>`.`<mark style="color:yellow;">`SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c`</mark>

the three parts are base64 encoded, so let's decode it for further understand (using jwt.io decoder).

**header**: typically consists of two parts: the type of the token (JWT) and the signing algorithm being used, such as HMAC SHA256 or RSA.

```
{
    "alg": "HS256",
    "typ": "JWT"
}
```

**payload**: contains the claims. Claims are statements about an entity (typically, the user) and additional data.

<pre><code><strong>{
</strong><strong>  "sub": "1234567890",
</strong><strong>  "name": "John Doe",
</strong><strong>  "iat": 1516239022
</strong><strong>}
</strong></code></pre>

**signature**: used to sign the token to ensure the integrity of it and it's not forged.

```
HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
)
```

So, If the token validation is not implemented correct. for example if we changed the name from John Doe to User2 and the application logged in as user2 then the app is vulnerable to JWT authentication bypass.

For demonstration I will use portswigger labs, that you could access from this link

<https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-unverified-signature>

First we will log in with these credentials (wiener:peter) as instructed by portswigger<br>

<figure><img src="/files/ISxGc2T4jURAHSN08jBX" alt=""><figcaption><p>Figure 1: log in with winner user</p></figcaption></figure>

Reviewing the JWT token in burpsuite

<figure><img src="/files/K2vJ9sT0PQhcNWejbDCC" alt=""><figcaption><p>figure 2: JWT token</p></figcaption></figure>

So, our objective now is to access admin dashboard at /admin and delete user carlos

And by accessing /admin the application says `Admin interface only available if logged in as an administrator`

So, in order to access /admin we need to log in as admin so let's decode the JWT token of the winner user for further understanding.

<figure><img src="/files/27WzrNMmpiqJPjzJWQHZ" alt=""><figcaption><p>Figure 3: decoded JWT token</p></figcaption></figure>

So, let's try to forgery the token by changing the `"sub"` key from winner to administrator.

<figure><img src="/files/ijcvQTM4b13tZmavxarH" alt=""><figcaption><p>Figure 4: Token Forgery</p></figcaption></figure>

Then, let's send a request to /admin and changing the token to the forged administrator one

<figure><img src="/files/OlwMSY2E8OE8jTixf3HQ" alt=""><figcaption><p>Figure 5: forged token request</p></figcaption></figure>

And we have successfully logged in as administrator because the application doesn't investigate the signature to check the integrity of the token, we could now delete user carlos to complete the lab.

### Conclusion

Security is a critical aspect of any authentication system, and the use of JSON Web Tokens (JWT) has become prevalent in web development for secure user authentication. However, the potential for a JWT authentication bypass via an unverified signature underscores the importance of robust security practices.

A JWT's integrity relies on the cryptographic signature applied during its creation. In instances where an attacker can exploit vulnerabilities leading to an unverified or forged signature, the very foundation of trust in the authentication process is compromised. This underscores the critical need for developers and administrators to employ secure coding practices, keep software libraries up-to-date, and diligently safeguard secret keys used in the JWT signing process.

Implementing best practices such as employing strong encryption algorithms, securely managing keys, and regularly auditing and updating security measures is paramount. Vigilance against potential vulnerabilities and a proactive approach to security will help maintain the effectiveness of JWT-based authentication systems, ensuring the trustworthiness and integrity of user identity verification processes.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xk3rypton.gitbook.io/0xk3rypt0n-blog/penetration-testing/webapp-pentest/api-testing/authentication-attacks/jwt-tokens-attack.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.