Notes, slides and sources of "TechCamp 2022 - JSON Web Token 101" talk.
THE CONTENT OF THIS REPOSITORY INCLUDING ANY REFERENCED EXTERNAL CONTENT IS FOR EDUCATIONAL PURPOSE ONLY.
IT COMES WITHOUT WARRANTY OF ANY KIND, CORRECTNESS AND/OR FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
USE AT YOUR OWN RISK!
Any source code included is licensed under the MIT License (see the repositories LICENSE
file)
- RFC 7518 - JSON Web Algorithms (JWA)
- RFC 7519 - JSON Web Token (JWT)
- RFC 2104 - HMAC: Keyed-Hashing for Message Authentication
- RFC 4648 - Base 64 Encoding with URL and Filename Safe Alphabet
- Vulnerable verification example - GoLang
- Constant-time algorithm - GoLang
- Constant-time algorithm - PHP
- Constant-time algorithm - Python
- CVE-2016-5431 - Key Confusion Attack
- CVE-2015-9235 - alg:none Attack
- CVE-2020-28042 - Null Signature Attack
hashcat --increment-min=4 --increment-max=8 --increment -m16500 \
'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJ0ZWNoY2FtcC5oYW1idXJnIiwianRpIjoiOTZmNzBkODkiLCJpYXQiOjE2NjEzMzAzMDgsIm5iZiI6MTY2MTMzMDMwOCwiZXhwIjoxNjYxMzM3NTA4LCJzdWIiOiJtLnJlaWNoZWwiLCJpc3MiOiJpZC50ZWNoY2FtcC5oYW1idXJnIn0.mKdydmAO5Mh6bHFBtguwLAdLtxIR3oczRl7hCjsiK0w' \
-a3 -1 "?l" "?1?1?1?1?1?1?1?1" -D 2 -d 5 -w 3
hashcat --increment-min=4 --increment-max=8 --increment -m16500 \
'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJ0ZWNoY2FtcC5oYW1idXJnIiwianRpIjoiOTZmNzBkODkiLCJpYXQiOjE2NjEzMzAzMDgsIm5iZiI6MTY2MTMzMDMwOCwiZXhwIjoxNjYxMzM3NTA4LCJzdWIiOiJtLnJlaWNoZWwiLCJpc3MiOiJpZC50ZWNoY2FtcC5oYW1idXJnIn0.tVtDVw5BlIYEQt1lVdo0YFdlS9yrNvQR0JnGU81DYQA' \
-a3 -1 "?l" "?1?1?1?1?1?1?1?1" -D 2 -d 5 -w 3
Big thanks and kudos going to:
- https://techcamp.hamburg/
- https://silpion.de/
- https://jwt.io/
- https://github.com/hashcat/hashcat
- https://github.com/ticarpi/jwt_tool
- https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html
- https://book.hacktricks.xyz/pentesting-web/hacking-jwt-json-web-tokens
- https://auth0.com/blog/json-web-token-signing-algorithms-overview/
- https://0xn3va.gitbook.io/cheat-sheets/web-application/json-web-token-vulnerabilities
- https://codahale.com/a-lesson-in-timing-attacks/