Skip to main content

Testing, tweaking and cracking JSON Web Tokens (JWT)

What is JSON Web Token?

JWT (JSON Web Token) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

In this post, we will see how to test, tweak, and try to crack JWTs. There are few open-source libraries that we can use. One such utility is https://github.com/ticarpi/jwt_tool which is a toolkit for testing, tweaking, and cracking JSON Web Tokens.

This tool is written in Python 3 (version 3.6+).

Its functionality includes:

  • Checking the validity of a token
  • Testing for known exploits:
  • (CVE-2015–2951) The  signature-bypass vulnerability
  • (CVE-2016–10555) The  public key mismatch vulnerability
  • (CVE-2018–0114)  vulnerability
  • Scanning for misconfigurations or known weaknesses
  • Fuzzing claim values to provoke unexpected behaviors
  • Testing the validity of a secret/key file/Public Key/JWKS key
  • Identifying  via a High-speed 
  • Forging new token header and payload contents and creating a new signature with the key or via another attack method
  • Timestamp tampering
  • RSA and ECDSA key generation, and reconstruction (from JWKS files)
  • …and lots more!

You can visit the repository on github and get the instructions on github.

Happy Coding!!!

Comments

Popular posts from this blog

Track stock market information right in your Terminal.

     Introduction: As a developer, I love working with the terminal. The plain, simple, and in my opinion the best way to interact with the computer (also it makes you look geeky). I spent most of my time in the terminal. By now you must have guessed I am a huge fan of the terminal and terminal-based applications. Recently I developed an interest in stock markets and started tracking the stock markets. Since I love working with the terminal I decided to build a terminal oriented application that can help me to track the stock market. Inspir e d by  wttr.in  I build  terminal-stocks  which can provide the stock's current prices, historical prices, and global market summary. How to use terminal-stocks terminal-stocks  is available and can be used without installation. Get the current price of the stock. curl terminal-stocks.dev/ITC.NS Current price of stocks You need to provide the ticker of the stock and terminal-stocks will give you the price information of the stock.  terminal-st

Setting up Nginx as a reverse proxy for Node.js App

Okay.. but what is a reverse proxy? A reverse proxy is a web server that centralizes internal services and provides unified interfaces to the public. Requests from clients are forwarded to a server that can fulfill it before the reverse proxy returns the server’s response to the client. Nginx is a popular choice to use as a reverse proxy for your node.js application. Got it. Now let’s set up Nginx Let’s say your nodejs server is running locally on localhost:3000. We will set up Nginx to get the request and forward the request to our nodejs server. Ins t alling Nginx on ubuntu sudo apt-get update sudo apt-get install nginx Configure Nginx Disable the default, virtual host unlink /etc/nginx/sites-enabled/default 2. Create a configuration file cd /etc/nginx/sites-available sudo nano reverse-proxy.conf 3. Put the following content in the file server { listen 80; listen [::]:80; access_log /var/log/nginx/reverse-access.log; error_log /var/log/nginx/reverse-e

Terraform: Understanding Desired & Current State

In this post, we will learn in detail what is terraform desired and current state. Terraform’s responsibility is to create/update/destroy infrastructure resources to match the desired state as described in the configuration. Desired State: For example: If our desired state is as below resource "aws_instance" "myec2" { ami = "ami-0ca285d4c2cda3300" instance_type = "t2.medium" } This should result in an AWS EC2 t2.medium instance. The code you saw above is the desired state that we want. Current State: The current state is the actual state of a resource that is deployed. For example: If our desired state is as below resource "aws_instance" "myec2" { ami = "ami-0ca285d4c2cda3300" instance_type = "t2.medium" } our desired state is t2.medium instance but let’s say the current instance running is t2.micro. So it means our desired state and the current state is not matching. Try it out