Cracking JWT Tokens: A Path to Identifying Bugs and Earn upto $700

JWT, or JSON Web Token, is a widely used method for securely transmitting information between parties in a web application. These tokens are often used for authentication and authorization in modern web apps. They carry information that can be verified and trusted because they are digitally signed.

JWT Structure: A JWT is made up of three parts, separated by dots:

Header: Contains information about the type of token and the algorithm used for encryption.Payload: Contains the actual data (claims) about the user or session.Signature: A hashed combination of the header, payload, and a secret key used to verify the token’s authenticity.

Example JWT:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

JWTs are commonly used in:

Authorization headers in API calls (Authorization: Bearer <JWT>).Cookies for session handling.URL Parameters for single sign-on (SSO) or temporary authentication links.

JWT tokens often carry sensitive information and control access to protected resources. Identifying vulnerabilities in how they are generated, stored, or validated can lead to impactful findings that could be eligible for high rewards in bug bounty programs. Successful exploitation may lead to account takeover, privilege escalation, or bypass of critical security controls, depending on the web application.

Here’s a roadmap to identifying vulnerabilities in JWTs:

1. Algorithm Vulnerabilities

The header part of a JWT specifies the algorithm used to sign the token. A few common algorithms are:

HS256 (HMAC + SHA-256)RS256 (RSA + SHA-256)

Common Vulnerabilities:

None Algorithm Attack: Some JWT libraries mistakenly allow the use of "none" as an algorithm, making it possible to bypass the signature verification.Weak Secret Key: If the secret key used in HS256 is weak, it becomes vulnerable to brute force attacks.

How to Test:

Modify the algorithm to "none" and remove the signature to see if the server accepts the modified JWT.Use tools like John the Ripper or Hashcat to brute force weak secret keys.

2. Weak Key Management

If the secret key or the private key used to sign the JWT is not handled securely, it may lead to vulnerabilities:

Publicly Exposed Keys in GitHub repositories.Predictable Keys or default configurations.

How to Test:

Search for exposed API keys in public repositories using tools like Gitrob or TruffleHog.Use JWT Crack tools to test predictable keys.

3. Vulnerabilities in Claims

The payload of a JWT can include claims like exp (expiry time), sub (subject), iss (issuer), etc.

Common Vulnerabilities:

Expired Tokens: Check if expired tokens are still accepted.Modification of Claims: Modify claims like is_admin or role and check if the server accepts them.

How to Test:

Use Burp Suite or Postman to tamper with the payload and resend the token.Modify the iat (issued at) or exp (expiration) values and test if the server validates them properly.

4. Signature Flaws

The signature ensures that the JWT’s content hasn’t been tampered with. Any flaws in the signature verification can be a gold mine.

Common Vulnerabilities:

Incorrect Signature Verification: Test if the server verifies the signature correctly.RS256 to HS256 Downgrade Attack: If the server allows an RS256-signed JWT to be treated as an HS256-signed one, you can potentially forge a valid signature.

How to Test:

Change the algorithm from RS256 to HS256 and replace the signature with a valid HMAC using the public key as the secret.

Here’s a list of tools that can help you analyze and exploit JWT vulnerabilities:

1. Tools on Kali Linux

JWT Tool: A toolkit for hacking JSON Web Tokens.JWT Cracker: A tool to crack weak secret keys for JWT.Burp Suite: A versatile web vulnerability scanner to intercept, modify, and tamper with JWTs.Postman: A powerful API testing tool that can modify and test JWTs.

2. Tools for Windows

OWASP ZAP: Similar to Burp Suite, used for intercepting and modifying JWTs.CyberChef: An online tool that can decode, encode, and modify JWTs.Fiddler: A web debugging tool that can be used to intercept web traffic and JWTs.Inspect Headers: Check for the presence of Authorization: Bearer <JWT>.Decode JWT: Use online tools like jwt.io to decode the token and inspect its contents.Algorithm Manipulation: Change the algorithm to none or modify other claims using a testing tool like Burp Suite.Re-sign: If applicable, attempt to re-sign the token with a weak key or modified content.Replay the Modified JWT: Send the tampered token back to the server and observe if you get unauthorized access or unexpected behavior.

Finding JWT-related bugs can be highly lucrative, as they often impact authentication and authorization mechanisms. Here’s a quick breakdown:

Low Severity Bugs (like expired token issues): $100 — $500Medium Severity Bugs (like sensitive data exposure in payload): $500 — $1,500High Severity Bugs (like signature bypass): $1,500 — $5,000Critical Bugs (complete authentication bypass): $5,000 — $20,000+Stay Updated: Keep an eye on the latest vulnerabilities involving JWT.Practice: Use platforms like Hack The Box or TryHackMe to get hands-on experience.Read Writeups: Go through bug bounty reports to understand the thought process behind successful attacks.Learn from Others: Engage in bug bounty communities and forums to exchange ideas.

JWT vulnerabilities provide a significant opportunity to earn big in the bug bounty market. Understanding how JWTs work, what to look for, and how to use the right tools will help you identify bugs quickly and effectively. Whether you’re a beginner or an experienced security researcher, JWT vulnerabilities are a gold mine that you shouldn’t overlook.

Good luck, and may you find your next critical bug bounty soon! Happy hunting! 🕵️‍♂️🕵️‍♀️