Can JWT Tokens Be Cracked ? If So How?

HackTheBox SRMIST
4 min readDec 27, 2023

--

What is JWT Token ?

JSON Web Token is a proposed Internet standard for creating data with optional signature and/or optional encryption whose payload holds JSON that asserts some number of claims. The tokens are signed either using a private secret or a public/private key.

Understanding JWTs in Detail:

JWTs consist of three parts: Header, Payload, and Signature. The Header typically specifies the type of token and the signing algorithm. The Payload contains claims or information about the user, and the Signature is created using a secret key, ensuring the integrity of the token.

For example:

Here, The Red part is the header, the Purple part is the payload and the Blue part is the signature of the token.

The above website is very helpful for getting the details about a jwt token.

Now How can somebody crack it ?

Although Jwt tokens are very safe, there are some weaknesses an attacker could exploit to crack it.

  1. Stolen Secrets: If an attacker somehow gains access to the secret key used for signing JWTs, they can create their own valid tokens.
  2. Brute Force Attacks: Since JWTs are often signed with a secret key, an attacker might attempt a brute force attack to guess the key.
  3. Token Sniffing: If an attacker can intercept (sniff) the JWTs during transmission, they may be able to use captured tokens to impersonate users.
  4. Token Expiration Manipulation: JWTs typically have an expiration time. If an attacker can somehow manipulate or extend the expiration time, they may be able to use an expired token.
  5. Insecure Storage: If JWTs are stored on the client side (e.g., in a browser’s local storage) and not securely managed, an attacker might attempt to steal them.

For Example I am going to take a question from a ctf that took place recently.

Beginner/Secret-of-Kurama

Madara attacked leaf village. everyone wants Naruto to turn into Nine-Tails, Naruto don’t know what’s the SECRET to change its role to ‘NineTails’? can you as a shinobi help Naruto??? username: Naruto Password: Chakra

http://xx.xxx.xxx.xx:xxxx/

This is a question from BackDoor CTF.

When we go on the given website we get /secret_of_Kurama page.

We also have a jwt token:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Ik5hcnV0byIsInJvbGUiOiJzaGlub2JpIn0.WJv_YcVsRV15PqzGpq10-w5i2mJ_BI1mBzkZMtAPnIQ

Using the jwt.io website we get

From the question we know that we have to change to role to NineTails.

But that’s not it, we also need the secret key to verify the signature and create a valid jwt.

So we can use hashcat to possibly crack it. on using hashcat we get this:

As we can see the secret is “minato”.

Now we can use this to create a valid token.

On using this token we get the flag!!

This was a very easy example of cracking a jwt token.

There are many other jwt tokens which uses Different Algorithms and are harder to crack like:

1. HMAC (Hash-based Message Authentication Code):

  • Uses a shared secret key for hashing the token.
  • Depends on a strong secret key and vulnerable if the key is exposed.

2. RSASSA (RSA Signature Algorithm):

  • Utilizes a pair of public and private keys for signing.
  • High security if keys are properly managed,private key confidentiality is crucial.

3. ECDSA (Elliptic Curve Digital Signature Algorithm):

  • Similar to RSASSA but employs elliptic curve cryptography.
  • Efficient and secure with proper key management.

4. None Algorithm:

  • Token is unsigned, used when transport is secure (HTTPS).
  • Use cautiously, susceptible to tampering, signing recommended in production.

Now If you have a website using Jwt tokens and want to secure it you can follow the following:

  1. Use Strong Key Management: Employ long and complex secret keys. Regularly rotate keys and ensure they are stored securely.
  2. Implement Proper Validation: Validate the signature of incoming JWTs to ensure they haven’t been tampered with.
  3. Encrypt Sensitive Information: If the information in the JWT payload is sensitive, consider encrypting it to add an extra layer of protection.
  4. Token Revocation: Implement mechanisms to revoke or invalidate tokens if suspicious activity is detected.
  5. Secure Transmission: Use HTTPS to encrypt the communication between the client and server, preventing token sniffing during transmission.
  6. Token Expiration Policies: Enforce and properly validate token expiration times to minimize the window of opportunity for attackers.

Contribution:

Writer:

Om Arora | Binary

--

--

HackTheBox SRMIST

HackTheBox SRMIST focuses on training the next-gen of cyber-warriors transforming the cyber space in SRMIST and beyond. https://www.htbsrmist.tech