MAZIN AHMED, 2019FULLHUNT.IO

Practical Approaches forTesting and BreakingJWT Authentication

h t t p s : / / c y b e r w e e k . a e

2

$> WHOAMIv Mazin Ahmed• Freelancing Penetration Tester / InfoSec Specialist

• Founder & CEO @ FullHunt, the next generation vulnerability

intelligence platform

• Ex-Security Engineer @ ProtonMail

• Occasional Bug Bounty Participant

• Top 10 researchers of Bugcrowd @ 2014

• Acknowledged by Facebook, Twitter, Oracle, LinkedIn, and many…

3

{Story}

4

$> AGENDA• What is JWT?• How it Works?• Web Implementations• Attacking JWT• Current Toolsets• Introducing JWT-PWN• Recommendations for Implementing Secure JWT

5

$> WHAT IS JWT?• RFC-7519• Proposed @ May 2015• JSON Object + Digital Signature = JWT

6

$> JWT

[ Base64(HEADER) ] . [ Base64(PAYLOAD) ] . [ Base64(SIGNATURE) ]

7

$> JWTChunk 1: Header{"alg": "HS256", "typ": "JWT"}

Chunk 2: Payload{"sub": "1234567890", "name": "Mazin", "admin": true}

8

$> JWT - SIGNATURE

HMACSHA256(base64UrlEncode(header)+ "." +

base64UrlEncode(payload), KEY)

9

$> JWT

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

10

$> WEB IMPLEMENTATION

11

Attacking JSON Web TokensHack The Planet?Episode: JWT

12

1. Brute-Force Secret Keys

13

2. Signing a new token with the “none” algorithm

14

3. Changing the Signing Algorithm of the Token

15

JWT Testing Tools

16

$> JWT TOOLS: JWT_TOOL• Jwt_tool (https://github.com/ticarpi/jwt_tool)

• Uses linear approach for cracking, still quite fast!• Number of attacks covered.• Custom parsing for Base64 strings, not official JWT libraries.

17

$> JWT TOOLS: C-JWT-CRACKER• C-jwt-cracker (https://github.com/brendan-rius/c-jwt-cracker)

• JWT brute force cracker written in C• Unstable - Buggy libraries

From the project repository:

18

$> JWT TOOLS: JWT-CRACKER• jwt-cracker (https://github.com/lmammino/jwt-cracker)

• Simple HS256 JWT token brute force cracker.• No dictionary attack support.• Only made for HS256.

19

Introducing JWT-PWN

20

$> JWT-PWN• Simple Scripts.• Covering all discussed attacks.• Automated approach.• Using official/main JWT libraries.• Includes a JWT secret-key cracker, with software engineering in

mind.• Beta release!

21

$> JWT-PWN: JWT-DECODER.PY

22

$> JWT-PWN: JWT-ANY-TO-HS256.PY

23

$> JWT-PWN: JWT-MIMICKER.PY

24

$> JWT-PWN: JWT-CRACKER.PY

25

$> JWT-PWN: JWT-CRACKER-GO

26

{Demo}https://www.youtube.com/watch?v=pIOBu-HWGT8

27

JWT-PWNhttps://github.com/mazen160/jwt-pwn

28

$> RECOMMENDATIONS• Always verify the JWT Header.• Always verify the JWT “alg” key in the JWT header.• Never trust the “none” algorithm for signing. • Whitelist the used algorithm, and always verify it.• Rotate your signing keys periodically.• Don’t expose important client-data in JWT; it can be decoded.• Add a claim for “Expiration” to overcome the non-expiration issue in

the stateless protocol.• Key-size matters.

29

Thank you

Mazin AhmedTwitter: @mazen160Website: MazinAhmed.net

30

Questions?

Mazin AhmedTwitter: @mazen160Website: MazinAhmed.net