Security Notes
  • Whoami
  • Pentesting
    • WEP-Pen
      • Reconnaissance
      • Enumeration
      • OWSAP TOP 10
        • Injection
          • Cross Site Scripting
            • Cross Site Scripting
            • Exploitation
            • Protections
          • SQL Injection
            • SQL Injection Overview
          • NoSQL Injection
          • CRLF Injection
          • XML Injection
        • Broken Access Control
          • Path Traversal
          • Sensitive Cookie with Improper SameSite Attribute
          • Link Following
          • Incorrect Default Permissions
          • Information disclosure
          • CSRF
            • csrf checklist
          • 403 bypass
          • Exposure of WSDL File Containing Sensitive Information
          • bussiness logic checklist
          • 2FA bypass checklist
          • admin panal checklist
          • idor checklist
          • Authentication checklist
          • reset_password_checklist
          • ATO
        • Cryptographic Failures
          • Cryptographic Failure
          • Weak Encoding for Password
          • Improper Following of a Certificate's Chain of Trust
            • Understanding Digital Certificates : Self-Signed and CA-Signed Certificate **
            • Transport Layer Security (TLS) and SSL **
          • Clear Text Transmission Of Sensitive Data
            • SSLStripping **
        • Insecure Design
        • Security Misconfiguration
          • CORS Miscofigration
          • Mail Server Misconfiguration
        • Vulnerable and Outdated Components
          • Using Components with Known Vulnerabilities
        • Identification and Authentication Failures
          • JWT Hacking
          • SAML Authentication bypass
        • Software and Data Integrity Failures
          • mass assignment
          • PostMessage Vulnerabilities
            • PostMessage Vulnerabilities
            • Blocking main page to steal postmessage
            • Bypassing SOP with Iframes - part 1
            • Bypassing SOP with Iframes - part 2
            • Steal postmessage modifying iframe location
        • Security Logging and Monitoring Failures
        • Server-Side Request Forgery (SSRF)
          • SSRF
      • Checklists
        • aem misconfiguration
        • exif_geo
        • xss
        • Session Management
        • Authorization
        • cookie
        • Django
        • Symfony
        • json
        • bypass rate limit
        • Rce
        • Register Page
      • eWPTXv2 Preparation
        • Encoding & Filtering
        • Evasion Basics
        • Cross-site scripting (XSS)
        • XSS Filter Evasion
        • Cross-site request forgery (CSRF
        • HTML5
      • API-Pen
        • API Discovry
        • Reverse Engineering API Documentation
        • Excessive Data Exposure
        • Vulnerability Scanning
        • API Authentication Attacks
          • Classic Authentication Attacks
          • API Token Attacks
        • API Authorization Attacks
          • Broken Object Level Authorization (BOLA)
          • Broken Function Level Authorization
        • Improper Assets Management
        • Mass Assignment
        • SSRF
        • Injection Attacks in API
        • Evasive Maneuvers
        • GraphQL Vulnerabilities
    • NET-Pen
      • Active Directory Pentesting
        • Active Directory Components
        • Initial Attack Vectors
          • LLMNR Poisoning
          • SMB Relay Attacks
          • IPv6 Attacks ( IPv6 DNS Takeover )
          • Printer Hacking
          • Methodology
          • Some Other Attacks
            • Zerologon (CVE-2020-1472)
            • PrintNightmare (CVE-2021-1675)
        • Post-Compromise Attacks
          • Pass Attacks
          • Kerberoasting Attack
          • Token Impersonation Attack
          • LNK File Attack
          • GPP / cPassword Attacks
          • Mimikatz
          • Methodology
        • We've Compromised the Domain
          • Dumping the NTDS.dit
          • Golden Ticket Attacks
          • Methodology
        • Case Study
        • Password Attacks
      • Attack Vectors by Port
        • FTP 21
        • SSH 22
        • Telnet 23 - 2323
        • SMTP 25
        • DNS 53
        • Kerberos 88
        • POP 110-995
        • RPC 111
        • Ident 113
        • NNTP 119
        • NetBIOS 137-138
        • SMB / Samba 135-139, 445
        • MSRPC 135
        • SNMP 161
        • LDAP 389,636
        • Modbus 502
        • OpenSSL 1337
        • Ms-SQL 1433
        • Oracle Listener 1521 1522 1529
        • NFS 2049
        • MySql 3306
        • RDP 3389
        • ADB Android Debug Bridge 5555
        • WinRM 5985 5986
        • VNC 5800 5900
        • Redis 6379
        • Unreal IRC 6667
        • Tomcat 8080
        • MongoDB 27017
        • http 80
      • Network basics
      • Information Gathering
      • Privilege Escalation
        • Windows Privilege Escalation
        • Linux Privilege Escalation
    • write-ups
      • How i found a Privilege Escalation via Impersonation Features feature
      • How I was able to discover ATO Via IDOR vulnerability
      • Easy full Account Takeover via Facebook OAuth Misconfiguration
Powered by GitBook
On this page
  • Using Burp Suite for Token Analysis
  • JWT Attacks
  • JWT Attack Techniques
  • For More Attacks and Techniques about .jwt look at the jwt_Hacking Page.
  1. Pentesting
  2. WEP-Pen
  3. API-Pen
  4. API Authentication Attacks

API Token Attacks

PreviousClassic Authentication AttacksNextAPI Authorization Attacks

Last updated 6 months ago

Using Burp Suite for Token Analysis

  1. Capture API Request: Proxy your API authentication request to Burp Suite.

  2. Forward to Sequencer: Right-click on the request and select the option to send it to the Sequencer.

  3. Analyze Randomness:

    • Define Token Location: Specify where the token is located in the response.

    • Start Live Capture: Begin capturing live token data.

    • Evaluate Results: Look for predictability or weak randomness in generated tokens.

Example: Weakly generated tokens can be susceptible to brute-force attacks, allowing unauthorized access to endpoints like /identity/api/v2/user/dashboard.

Manual Load of Bad Tokens:

  • Use Burp Suite’s Manual load option to analyze weakly generated tokens. You can use a weak token example generated from a for reference.

JWT Attacks

Overview:

  • JSON Web Tokens (JWTs) are commonly used for API authentication but can have vulnerabilities if misconfigured.

Components of JWTs:

  • Header: Contains metadata about the token.

  • Payload: Contains claims or user information.

  • Signature: Ensures token integrity.

Using JWT.io for Analysis:

  • Capturing a Valid JWT: If you capture a valid JWT, it may grant unauthorized access to API endpoints based on the payload information.

Tools for JWT Analysis:

  • JWT_Tool: A tool for automating JWT analysis and scanning for vulnerabilities.

  • Commands: Use specific commands with JWT_Tool for scanning and analyzing tokens in target applications.

Common JWT Vulnerabilities:

  • None Algorithm Attack: If the JWT uses "none" as its signing algorithm, attackers can forge tokens by altering the payload, potentially gaining unauthorized access.

JWT Attack Techniques

  1. JWT Decoding:

    • Decode parts of JWT for analysis:

      echo <header_part>|base64 -d
echo <payload_part>|base64 -d

  2. Analyze JWT Structure:

    • A JWT typically has three parts: header, payload, and signature.

    • Example command for decoding:

      echo eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJ1c2VyYWExQGVtYWlsLmNvbSIsImlhdCI6MTY1ODUwNjQ0NiwiZXhwIjoxNjU4NTkyODQ2fQ|base64 -d

  3. JWT Signature Check:

    • JWT signature uses HMAC with a secret:

      HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

  4. Automate with JWT_Tool:

    • Use JWT_Tool for automated testing:

      jwt_tool -t <target_url> -rh "Authorization: Bearer <JWT_Token>" -M pb

  5. The None Algorithm Attack:

    • If a JWT uses "none" as the algorithm, modify payloads freely

Decode JWTs using to inspect their contents.

For More Attacks and Techniques about .jwt look at the Page.

this repository
JWT.io
jwt_Hacking