A7: 2021 | JWT Tokens (11) | Cycubix Docs
Last updated
Was this helpful?
Last updated
Was this helpful?
With the HMAC with SHA-2 Functions you use a secret key to sign and verify the token. Once we figure out this key we can create a new token and sign it. So it is very important the key is strong enough so a brute force or dictionary attack is not feasible. Once you have a token you can start an offline brute force or dictionary attack.
Given we have the following token try to find out secret key and submit a new key with the username changed to WebGoat.
With the HMAC with SHA-2 Functions you use a secret key to sign and verify the token. Once we figure out this key we can create a new token and sign it. So it is very important the key is strong enough so a brute force or dictionary attack is not feasible. Once you have a token you can start an offline brute force or dictionary attack.
Given we have the following token try to find out secret key and submit a new key with the username changed to WebGoat.
Solution
Save the token and try to verify the token locally.
Download a word list dictionary (https://github.com/first20hours/google-10000-english).
Write a small program or use HashCat for brute forcing the token according the word list.
Click the submit button on WebGoat and find the POST request in ZAP.
Copy the claims part (payloads data) of the token and go to tools in ZAP/decoder, to decode that section of the token into base64.
Copy the payload details into the payload section at JWT page.
Go ahead and change sub, username and email into WebGoat.
It's very important to change the expiration time of the token.
We will also need the secret to unlock the valid signature. For that we will save the key that we have, and use the HASHCAT command
You can access the source code for the lesson in the followin link: .
Go into , and paste the entire token. Examine the payload data.
