Home
This wiki is a project to document the known attacks and potential security vulnerabilities and misconfigurations you may come across when testing JSON Web Tokens, and to provide a repeatable methodology for attacking them.
The known attacks described are all practical and can be attempted with relative ease with available tools. Guidance is also provided for diving deeper into token claim fuzzing and likely extensions to existing attacks.
Enjoy!
DISCLAIMER(S):
This is a document conveying information on a practical, repeatable and effective approach for performing AUTHORISED SECURITY TESTING. If you use this guide to test JSON Web Tokens used by services you do not OWN, or have EXPLICIT PERMISSION to test, then you may be BREAKING THE LAW. Don't do it!
This guide is provided as-is. To the best of my knowledge it is accurate and has proven safe to follow in my personal experience, HOWEVER there is no accounting for the many weird ways people can incorporate JWTs into their apps, therefore do expect at some point these attacks to do untold damage to data, services, hardware, etc.
- JWT Primer
- Attack Methodology
- Vulnerable 'Claims'
- Known Exploits
- Finding Public Keys
- Tampering and Fuzzing
- Stealing JWTs
- Using jwt_tool
I wrote jwt_tool in order to make it practical to exploit JWT attacks by reading, tampering and signing tokens to use in web requests against a target service.
This wiki gives instructions on using jwt_tool to perform these attacks, but if you want to just learn the attacks and exploit them with your own tools then feel free :)
JSON Web Tokens can be a fascinating avenue for pentesters as they are not only the keys to give you untold access, but have also been seen to harbour routes to: Privilege Escalation, Information Disclosure, XSS, SQLi, SSRF, RCE, LFI
...and probably more besides!
The process for attacking tokens will clearly depend on the circumstances of the JWT configuration and implementation you are testing, but the above menu should help you navigate about and find methods to try out.
Or just jump straight to the Attack Methodology if you feel so inclined!
This is a guide to testing JWTs - the open standard for JSON Web Tokens RFC 7519. The topic of JWTs has many sub-categories and dependencies covering encryption, signatures, key storage formats and more.
Currently this wiki focuses on JWT as distinct from JWS, JWA or JWE, however more content on those subjects will be added in the coming weeks and months.
Some coverage of JWK/JWKS and other crossover areas had been included as they are highly relevant to some known vulnerabilities in JWT libraries.
As this guide is targeted at testers its structure may not be practical for developers to use it as a defensive guide, although various sections should prove very useful.
There are great best-practice advisories for JWT usage on other sites, however the basic principles are:
- Restrict accepted algorithms to the ONE you want to use
- Verify all tokens before processing the payload data
- Restrict URLs of any JWKS/X509 certificates
- Use the strongest signing process you can afford the CPU time for
- Use asymmetric keys if the tokens are used across more than one server
- Use strong keys/secrets
- Use the latest version of whichever JWT library you have chosen
- Always regularly patch your JWT libraries
