From 5c3e3724ef6e6e5cf1a4fee55727395b3b5097c9 Mon Sep 17 00:00:00 2001 From: CPol Date: Wed, 17 Feb 2021 13:15:29 +0000 Subject: [PATCH] GitBook: [master] one page and one asset modified --- .gitbook/assets/image (435).png | Bin 0 -> 6846 bytes pentesting-web/hacking-jwt-json-web-tokens.md | 20 +++++++++++++++++- 2 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 .gitbook/assets/image (435).png diff --git a/.gitbook/assets/image (435).png b/.gitbook/assets/image (435).png new file mode 100644 index 0000000000000000000000000000000000000000..b952432413bf245cd33c09d7a62cc8b915397886 GIT binary patch literal 6846 zcmX|mc|26#|9{zyHCrPz6xl-*lE%KT$$Km@mMkSZNtk&{cA>1Su^FGh>CfisUbAir*PMtc%Wolw@>(nVm z9KC&xjfH;vx=Wp-x8qF>bZFGj-*iN_5AJf{^&D$3^QUd67k$J~!KoNLIASeg(PO+c{_K9ra#c zIFI0w=^qwR-)RdDynR=)>CxT=HVN^kWyQSFmTW*GFGXDf{0DGVpeRWkW7R0er~AFp zt=w`Todoq9kBs`Rr)AYiN3g8};~7A(1@T!ch1Y`j3GD(C^z7d^a<>`)!Qs*yF*Bl7 zUz+sU0LN1yuU<4B|5h6GVei25Ke1--C}F_g#b{d1cdO)J7&1pZ&;sf`=i#X?$ex?X zr`vG!rcaBi-hAiIO$izKQ;`Zk+^O>UJZv3Ez9;((nLY0#DOtSH4*!2zMWNIl543|q zPy7X@77iV5dQbM+z7X8sHh@0*-$kJzA@|gfe{cME=yQ^VVdOm?V`nJy-2KyvjveM~ zzNh=$(W{+>9@sev%oW3S-~1?>usd1!o!6$wrLR5Xh$20KCP1N3|K?U7O1hOcx7YXp z4*CWtzLZU&sKnS>eI+_{M9SKnzqQOBO{@nN-5zxCnsmUCZQirX6mE6?>p~w<0b67xcCEd&d(^R_x za-tz$yMqqpljD6r95h~y`C=C>2>}6>0N4KAac&qfi?#`pWj z=AKSyR!Lv8YV?O01c;VyDwvCKjVno%wa8w-nU~ZnkYKFtD)I_a9Q~LY|DnEN#qMFY zCqB1(qNa1Ap08_HIs3f=<>ELdYq{!K9YxbtA#F|)m94aO>+oq$dK%o$Hx6q(m0>8E3T3xW(d9OEO zo^SSe>gtMl$F0&;RpNn*BDgtP_0ta*g72o42N=0|TmCw1*@HhnGIBg9e|lhn^2sl6 zPIUhx9gmw6ZAsFl4GJ5T$XdYHd__F*U&PNO%chl}dQZ4=mnsrGuT&~u$@PxD5RkdG zRrY58&G40hUdzQQdFz>8toOTHP`d{Jwg3tlf>y?fdWOfBCLT;(Evgz zH{rQb=%MDdvZa-@4__qaeXf=lz1or-sU<<;IMD*9L+$br@|PioeTwn;a28WG6RED5 znkNT(Wuwj`)g+tF$adQvc9R0QO!)Rw-YI0|Pf9mh`cn*R7rvl#1A3gw%j{$520akQ zS*G`X;0qlS5ZYxA6Eg#EcR&P+s z{DE(@QFQyPq)@5Zq4gC}(&Eu%-NTrc9l+@1TiG*60iX_#2ygy#Chqq#xUH7g1qRl1 zKc*-XvN9<8`dxy|>k`H|d8CI1dZ*W>W)jZWXJO&~pjX& zC~g!iN@R$NV4`48k;3X;rRCy9DDUiY)V!b8&vQA@zjuqm!+*GLs}6?8Cqq@H zctSa$HbEt9Tg1-|Q!clI&a;0M4T>|~JPR^c2R{TKDP28Q=4=g;&OctlpH3gJkMD72 z5UT<^IS@@f;c ztL0-9M&N$@gj^?2xYjo=wFCFI%~dguytlKpRO0zL1YYL|Bw}DeJE6D1-7tPK*P&9} zaZL+y!H{|Vb$7dHSFCAlvS5z0t?Ovevf&_;37bRw9I>GBZZE1P^Qh|LA3*XE5aMs| zzNOGrE&>{@F`%jSwU2=gAj=%AUea;pt^_Va_GZ-9a6-oFt=Ap;30Sm@w2LSQeO>(Cd-cm=>^}CWz%=(I+l22CObHcx zT~}Oaj);vyB+@nr!T;vWCBo|rrH(Q6{w2NH(otv_Ay5*|MmD=JM^T=mXmb`&WUDAD zg%rg&B-46E!Er$%#nfl1_wGDqF|X(_d(>R%OgKzOsN{<-8c>bL`y|6xLKZQj;B;;K zr06xf*;X=AizxiDZ#OFgRdh=fQ_I`b%O?*j`A}R`Dc&M%HUDd7@|S=7PB=~^T~?vq zG|dQ1co;Qz2g1IU#j^dhEZVU%Qexb}NT){Q62-LYY#1fEu7EelgDo4uTng@n3GC1eIvfRk&0zTZIBA*ciZ|e(B~6jk zFIMQj^-L*k(YD=SHNvea(RDD~Hfi3(0<-{?S17Wcxv>4vYpX_ey#6vCjF)z}`3&fs z&FeUR#eyDn9!Nd^^vh%63|Wm$KIw~?9Oq&re#<@Q3^1XobDPHqQwzi*s%To4Mp`n0Q{tT?z~8;fslk1giBD9^wM6J$AA@ZVMqw2QO4H`~@>ae}LZ ziSyZMeD@naPjfz>67pTKftTK0C%5<b17r#fLl!#$EG&FuM&ZInOS@i>UaeL42qj9uf55hAd4M5*lw?3Pv* zqdn*vcoRkGp1Z8>yte1yup!ggVrt_v|)9F|D-=T@LU#KzFonc zyVU;6?hR?2>x3)i?`-9?UV);k5t}BW(wDJ+Vb2M_AGdZQg`IHt!Dsg*+{obO%WM{l zIr+%9ypDE37!%pIf;~HbrOcYfZrH~stI5aQqw4#>XE%=swI84t$%7NU6K5Q<$*c8` zj60Lrr>a`4@7q>?fWJdN|4C;kY-5fe#o_{H?a-?Dt_H#6*P+(SC1wtV8jwBGNsTx? z3>QvK*#vz>vdav%J)~0dUn3@YMWMt0WKBopB^wbBb1yJ?K$E7NIfNW9T=}tl%*v_t zG8tgQyT``o8(6n&8tW?wSdCN)9KPHaVI(n@LcY^hu(RoY09*&*tp@c1Bi|ucef{D+ zX#=cnnkw=AV+<|}i;wQDKu!lPYwQ&^`U1~%h)kBPPFVqf_VVo5&$8s04XV-~63f4N za-Ga04;Na^hOA|lu36Xs*`YwbA&}bv4I@>UMvrJBCr)5O`9ioI9g~kdLBoq{zK^Uu zJYvh&b@#OtHP7N&G_77=w=8uI<2)4k*hkAvM78eG#n#^y6L1UVz^HzRrqNE&ZRKUn zPmM41g%iHd=VZgCMOWEZCO-u}f?v^{KlWnnJLV?_4rNFtU^0VTK~t%mMjOmE&sC=H zS-0NKclh(pfQv(+7xp5Inz|HvR)5JQ{`Ibg+$}4_jYq~EO0O2ZGh57$lSxz))*Ar1Wc#i6Wg0eJL*#EX0xt&d4@G0PrPnE4I(5gofr>5y_U{C= zBD^c044uL(hzPGF=}eK&0p5dwVf&jUbY$BYokABeB|VgnQii15IV>!DX>De@C)mT# z{a5JHNxK^x3wcZ=)+$ z3;qXcnmdqf5172~U%GOfcnztRRIj;i?L-@7SV0x3aJFS@Ja!cid0u|^mUxJ+8~(L{ zb)hwSC7^xljVY}?Z9BUhY3M%C*w(E*)5U>lCLG7K`t$A)AH1(D@bqwTmwWMhUO;R~ z-T;2d%3z+FYjNGT{2=#9sQezg_|?k|6tkO_Ew5%)v_7@mpH=itxFkDBohujUsbdt7 z(voT3kueDDhE4LZigiB|$58PmtdU2fMiYNEUrTSw@9a0t0?uUKO4*qMnKx?Gn5%01 z;)v}nBPy#7)<-=0tVMdY*;@-5O=-UwD6Koj2*bYKDDkUVO1pwT;#VlOLb`98hav-| zG*kfk8%jxQ%Ng=mBJJrSX)6CX@jK=a5cI{e5Pa^!&xxqI+ogmQQ_r2i){bkNun{uf z=9{{|+--{~z9o9n(%Bh*SSphCLDrB|xoK_vlX~?4hDY7ef+i>oaxEt&BO04!#{Q{d zzb-ADqQ<~Qk33L*Vk!cvif;-rrs%0+OKwtJk3sEeQq&gv1wT{vO2Nr+8x^+LI`cznyzD`qlo1!{50i1(2;{r`-$lP$L{Of zn-T~5{=kmyMDO?%WH}TiykBKQ@)XUYD0UtD9T=lB{s%RA^ofO`rdSX^&}GS9&b?rt z-=?(itx}&Ml}B>TgFz99GbzyY_5`V()hy`M;BFgvp>=-TbuT@Fw~IlaDw~d$20gFm zGfbjyx|Zt_-pVM%NRK~EDUVTWncS6Y?Gkq)Ja~|b3~_r@QjXAb+i&WePsCXB6@@V3 z20n0x_btS+T!3F%o%|&IbpV~YQS4)cCKeflEzm}TC}oVvXA;X1Q*&m)W6oDS1+<~E z8azzRbfL)|BHFes^z2y_=ZUmzbAYUdJfC(I_&2Ne317U7A1>c9g6H~1k%uo-UYR7- z7Z7j(+0ezmGl)C^86PO?Z)zsThsSS3@XdKX9BJD9V;M6T?3P)+UDQ71BV2U-8G_{c z8&T(e%k6TdGEhR^NZ7yfkC0Uzhs%&B7O-jVVfOBOm1NVL%22*kx@e4vZPQ}+RqY$D z=^h|z78rqN7bBqeR6?&sii8-^lpE^ZXcIH_u>hSvMBri_r3OQF_#a^S5y5X2etPff zF)&5tCSQ#G{#T02!p=)J#~8lqX_uIrQ~Bj>o!Zi<**V<_^`AhCWS3Q`-ef8F0yS=} ze%!EW4Jc0yv7{((U}rbQ!j5Wn^gRca1}+hDc*yL}k$5(G`W+gx#eyG36j;zA~xcR*odp&v(sIe{`|B0BK-v#M_|^ z2gZ}f1%AL?H@bwC8zi=F*YRB?{qo%(5QLx$_hZddZ*$} z>u~Tm`EA$BUFL${{L>#|IJKuGN8idAl*$iBON~!>%wWxSPbJ<4aw**3MqSf?&GDJn zf>Mc6=_4xH^qsyo1ENP^V-iQ5F9KoIZfvOxgcQQlV(!nvcsj zk(4Z(U>4SqqXO%H)X6xnL$=88jO^x8mXKRQMU=b4folJJutsSvx8?PhxRObNu!I45 z(W6h^`+nLs854{i+61 zg>4M)Pe}7gpBiSZ0D5nGE<4Py>GvuaxpqCOl4#i|_N45tx@GEqG2bvjvh>)+WZX6O zwS98(mqf{#*=ju4nk0qltkcXxbRxP-EPZ z%8Se^4IFEKtpWgKkFg{sW z*_(WKcx;`aJ`~|b2*nd{NKosrs>8LSz1=?j5HIZfBOQ}-QGP8iC2SM-5_Tu{ouSz_< z=@vxIsk@OQ4+@V9_721UGvJ3Ry9Q-meO*WXW6!_fn!ALVMa}=?;s58>=PGsz;r?s? z@ATlzXPL%)UEP`j9q0Sk_JlcK83^gX6^-8TWm?{t8G1i5FncqlgC>jbVExWR zTqa>JCQC&a+dv4U_IaRNJ7(xlFp`~l2A(2vlof{1w12|ubYoOpPQ`r6*BM((bRwyx z2AVp3R%Fa8`|eTCTV;0e0MfHe`V(G%c5-jXjn+$@V*xzr3n}cWMHPu9I;85BY?`R0--&gKVq5$z<$x(G=>C>9 z`%n)&17AiuCqAa|?ypJx@%-dm|I}l7#yFGqh2gXG5^-@0)yhXHoLQ6hcR%{j!cW=P zR!4(Pso%;(6&?%jPoK5H(ilhsOmE~)70yWFe~@iz^XO<^viZ#O@e^0rPyPM}DIuQZ zN0tC~LwOvK`cs{*n0t}&qZkFj`TKihgD2HZdhGA;ooKGH%ei|Ck|BTUr&BkMy&8}! mz&(o3KPi26cLFPyP?d(9tgd literal 0 HcmV?d00001 diff --git a/pentesting-web/hacking-jwt-json-web-tokens.md b/pentesting-web/hacking-jwt-json-web-tokens.md index bfa2725e4..343a8dc80 100644 --- a/pentesting-web/hacking-jwt-json-web-tokens.md +++ b/pentesting-web/hacking-jwt-json-web-tokens.md @@ -1,7 +1,25 @@ # JWT Vulnerabilities \(Json Web Tokens\) **Part of this post was taken from:** [**https://github.com/ticarpi/jwt\_tool/wiki/Attack-Methodology**](https://github.com/ticarpi/jwt_tool/wiki/Attack-Methodology) -**Author of the great tool to pentest JWT** [**https://github.com/ticarpi/jwt\_tool**](https://github.com/ticarpi/jwt_tool)\*\*\*\* +**Author of the great tool to pentest JWTs** [**https://github.com/ticarpi/jwt\_tool**](https://github.com/ticarpi/jwt_tool) + +## **Quick Wins** + +Run [**jwt\_tool**](https://github.com/ticarpi/jwt_tool) ****with mode `All Tests!` and wait for green lines + +```bash +python3 jwt_tool.py -M at -t "https://api.example.com/api/v1/user/76bab5dd-9307-ab04-8123-fda81234245" -rh "Authorization: Bearer eyJhbG..." +``` + +If you are lucky the tool will find some case where the web application is correctly checking the JWT: + +![](../.gitbook/assets/image%20%28435%29.png) + +Then, you can search the request in your proxy or dump the used JWT for that request using jwt\_ tool: + +```bash +python3 jwt_tool.py -Q "jwttool_706649b802c9f5e41052062a3787b291" +``` ## Tamper data without modifying anything