Tampering and Fuzzing
Once you have a successful exploit you can tamper with the Payload data to attempt various attacks. These may include changing a username or user ID to take over another account, it might be adjusting your role list on an application, it might involve enabling admin properties. Just look at the available claims and see what you can do with them.
You can use jwt_tool's -T flag to enter the interactive Tamper mode and mess with Header and Payload claims. If you prefer to alter claims on-the-fly you can use the -I flag for injecting claims and values. Use this alongside other options, such as signing (-S) or eXploits (-X). For example:
$ python3 jwt_tool.py JWT_HERE -I -hc header1 -hv testval1 -hc header2 -hv testval2 -pc payload1 -pv testval3 -S hs256 -p jwt-secret-key
Changing existing claims to various values, invalidating them, changing from int to string etc. are all good ways to cause the service to fail to correctly parse the JWT. This may prompt error messages or other unexpected results.
Fuzzing is also useful for testing out injection attacks into Payload claims: such as XSS and SQLi attacks.
Fuzzing is performed in Injection mode (-I) by specifying a text file to use to inject multiple values into a sequence of tokens. this works best sent directly to the application:
$ python3 jwt_tool.py JWT_HERE -I -pc image_path -pv path_traversal_tests.txt -S es512 -pk jwttool_custom_private_EC.pem -t https://www.ticarpi.com/ -rc "jwt=JWT_HERE;anothercookie=test"
You can use Burp Intruder to perform these attacks:
- Load a request with a JWT into Intruder
- Clear the suggested Payload Positions
- Base64 decode either the Header or Payload section of the JWT
- Highlight the full decoded claim you wish to attack, copy it to your clipboard, and then Add it as a Payload Position (see fig. 1.1)
- In the Payloads tab select the list you want to use to FUZZ the claim with
- Under Payload processing section:
- Click the Add button. Select Add prefix and then paste the JWT section up until the value you want to fuzz (e.g. {"login":")
- Click the Add button. Select Add suffix and then paste the JWT section after the value you want to fuzz (e.g. "})
- Click the Add button. Select Encode and then Base64
- Click the Add button. Select Match/replace and then enter an equals sign (=) in the Match regex field, and leave the Replace with field blank (see fig 1.2)
- Click Start attack (see fig 1.3)
(fig 1.1)
(fig 1.2)
(fig 1.3)
Why not try parameter pollution by injecting duplicate claims?
Maybe you could move a claim from Header to Payload block or vice-versa?
How about injecting other common claims?
What about adding claims for other variables or parameters you've seen in the application?
