JWT

JSON Web Tokens (JWT) are a way to authenticate users. They are encoded strings that contain the user’s information. The server can decode the JWT and use the information to authenticate the user.

They are encoded in base64 in the following format:

header.payload.signature

Where:

• JWT tempering

  JWTs are a way to authenticate users. They are encoded strings that contain the user’s information. The server can decode the JWT and use the information to authenticate the user.

  jwt_tools can help with modifying the JWTs. They also document common vulnerabilities in JWTs in their wiki page

  python jwt_tool.py <jwt>        # Inspect the JWT
  python jwt_tool.py -T <jwt>     # Modify (temper) the JWT
  python jwt_tool.py -C -d <jwt>  # Crack the JWT's signature

• Both asymetic and symetric algorithms (RS256 to HS256 confusion)

  When both an asymetric (RS256) and a symetric (HS256) algorithm are accepted by the server and verified with the same key material, you can forge tokens with only the public key. Change the header to alg: HS256 and compute the HMAC signature using the RSA public key as the HMAC secret: the server verifies the HS256 signature with that same public key (which you know), so any payload is accepted.

  The catch is that the HMAC secret must be the exact bytes the server derives from the public key, and implementations differ. Some use the full PEM (including the -----BEGIN PUBLIC KEY----- lines and the trailing newline), others strip the header and footer lines and join the base64 body (for example pubkey.split('\n').slice(1, -2).join('')). Reproduce that derivation byte for byte, otherwise the signature will not match.

  jwt_tool automates this with -X k (key confusion) given the public key file.

• Public Key recovery - GitHub

  When a JWT is signed using an asymetric algorithm, the public key can be recovered using the JWT’s signature.