Token Attacks Flashcards
What is the purpose of making a token analysis in burp suite?
To find predictable tokens to aid in a token forgery process
Why does the first two parts of a JWT token start with “ey”?
The decoded value of these parts are in JSON format, which starts with {“ and the result of making a base64 encode of {“ is ey.
What is the first step to attack a JWT?
Decoding it and analyzing it.
What tool can be used to create a list of all possible character combinations?
crunch
What are the 3 parts of a JWT token?
Header, payload and signature.
How is a JWT signed?
The process of signing a JWT token consists of base64 encoding the header and payload and applying a hash and a secret to that value.
Explain the None attack.
The none attack can happen when the algorithm is set or can be set to “none”. This permits the removal of the signature part, since there is no algorithm to check it, making it possible to change the payload.
Explain the algorithm switch attack.
This attack can happen when the api provider is not checking the JWTs properly, making it possible to change the alg header to “none” or some other algorithm. The most common case is that the API accepts more than one algorithm.
Explain the JWT crack attack.
It consists of cracking the secret for the signature hash. Using a tool like hashcat or JWT_Tool, you can provide a token and a list of possible secrets. The tool will take the base64 encoded header and payload and start to make hashes with the elements of the wordlist. Then it will compare each result to the original signature, until it finds a match or the list ends.
