Web App Pentesting: Test cases on JWT

JWT is commonly used in modern web applications. If the app is using JWT, below are the possible test cases we can perform during assessment:

• Check if JWT discloses a lot of sensitive info. The best practice is to limit or completely remove the sensitive info from the JWT. Use UUID in referencing users.
• Check how long is the expiry of JWT. During assessment, I found JWTs that doesn't expire or has very long expiration
• Check in JWT if the app is using AWS Cognito, try attacks on AWS Cognito. Refer to this link or my previous blog. The idea is try to signup accounts directly via AWS CLI or if there are configured attribute like “user” and “admin” try to escalate to admin by changing attribute.
• Check the JWT if using asymmetric ( e.g. RS256) or symmetric algorithm (HS256). If using symmetric, try to bruteforce the signature to get the symmetric key. If bruteforce is successful, tamper the payload and use the key to sign the JWT. (No point in brute forcing if RS256 or similar)

hashcat -a 0 -m 16500 <jwt> <wordlist>

• Try changing the algorithm used ( e.g. from RS256 to HS256 or to None)
• Try modifying the payload without changing anything on the signature (works if signature is not properly validated)
• Try removing the signature part
• Try to perform JWT header parameter injections( jwk, kid, jku )
• Verify if within scope. If you have JWT and it works in Dev environment, try to use it in Prod environment and see if it also works ( always ask if this is intended).
• Use Jwt_editor and Jwt_tool for efficient testing.

jwt_tool -t http://sample.com/user/profile -rh "JWT here" -M at
#Use an endpoint where response changes if with or without auth bearer in the request.

Mitigations/Fix/Recommendations:

• Limit sensitive info in JWT
• Configure JWT to have short expiry
• If using AWS Cognito, ensure the AWS Cognito is properly configure
• For robust security, utilized asymmetric encryption
• If symmetric encryption is used, ensure that the signing key is very strong/very hard to crack
• Ensure the JWT is performing validation ( e.g. backend server rejects if there are changes in algorithm or changes on the signature, among other things.
• Use an up-to-date library for handling JWTs and make sure your developers fully understand how it works, along with any security implications.
• Enforce a strict whitelist of permitted hosts for the jku header.
• Make sure that you’re not vulnerable to path traversal or SQL injection via the kid header parameter.
• Enable the issuing server to revoke tokens (on logout, for example).

References:

https://portswigger.net/web-security/jwt
https://academy.tcm-sec.com/p/practical-web-hacking
https://academy.tcm-sec.com/p/hacking-apis
https://www.udemy.com/course/hacking-and-securing-jwt/
https://owasp.org/www-chapter-vancouver/assets/presentations/2020-01_Attacking_and_Securing_JWT.pdf
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/10-Testing_JSON_Web_Tokens

Disclaimer:

The information provided on this blog is for general informational purposes only. While I always aim for accuracy, some details may be inaccurate and the list provided may not be complete. Having said this, I strongly recommend verifying any critical information against industry-standard documents and official sources (some are listed in the Reference section above) before making any decisions or taking action.

All opinions expressed here are my own and do not reflect the views or positions of my employer.