Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/dariusztytko/jwt-key-id-injector
Simple python script to check against hypothetical JWT vulnerability.
https://github.com/dariusztytko/jwt-key-id-injector
Last synced: about 1 month ago
JSON representation
Simple python script to check against hypothetical JWT vulnerability.
- Host: GitHub
- URL: https://github.com/dariusztytko/jwt-key-id-injector
- Owner: dariusztytko
- License: gpl-3.0
- Created: 2020-11-29T14:18:59.000Z (about 4 years ago)
- Default Branch: master
- Last Pushed: 2020-11-29T18:14:20.000Z (about 4 years ago)
- Last Synced: 2024-08-01T10:17:23.009Z (4 months ago)
- Language: Python
- Homepage:
- Size: 17.6 KB
- Stars: 51
- Watchers: 4
- Forks: 11
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG
- License: LICENSE
Awesome Lists containing this project
- awesome-bugbounty-tools - jwt-key-id-injector - Simple python script to check against hypothetical JWT vulnerability. (Miscellaneous / JSON Web Token)
- awesome-hacking-lists - dariusztytko/jwt-key-id-injector - Simple python script to check against hypothetical JWT vulnerability. (Python)
README
# JWT Key ID Injector
Simple python script to check against hypothetical JWT vulnerability.Let's say there is an application that uses JWT tokens signed HS256 algorithm. An example token looks like the follow:
```
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.zbgd5BNF1cqQ_prCEqIvBTjSxMS8bDLnJAE_wE-0Cxg
```
Above token can be decoded to the following data:
```json
{
"alg": "HS256",
"typ": "JWT"
}
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022
}
```
To calculate signature the following secret is used:
```
supersecret
```The following pseudo code is used to calculate signature:
```
$alg = "sha256";
$data = "...";
$key = "supersecret";hmac($alg, $data, $key);
```
But what if unexpected **"kid":0** field will be injected into the header?
```json
{
"alg": "HS256",
"typ": "JWT",
"kid": 0
}
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022
}
```
**kid** field is a standard way to choose a key.
My assumption is that, if **kid** field is not expected, there may be vulnerable implementation that will treat the string $key value as an array:
```
hmac($alg, $data, $key[kid]);
```
As results "s" ($key[0]) value will be used as an HMAC secret.## Usage
injector.py script takes original JWT token,
injects "kid":0 field into the header
and generates tokens signed with the one-letter secrets
(ASCII codes: 32 - 126 [{space}, !, ", #, ..., x, y, z, {, |, }, ~]):
```
python3 injector.py eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.zbgd5BNF1cqQ_prCEqIvBTjSxMS8bDLnJAE_wE-0Cxg
```
As results two files are created - tokens.txt and tokens_meta.txt.
tokens.txt contains generated tokens and can be used as a list of payloads for the Burp Intruder.
If any token is valid (what means that application is vulnerable),
tokens_meta.txt file can be used to check what algorithm and secret were used to generate the given token.
tokens_meta.txt file contains the following data:
```
token1:algorithm:secret
...
token{n}:algorithm:secret
```## Changes
Please see the [CHANGELOG](CHANGELOG)