.png)
Most modern day web applications have two parts, a frontend and a backend. The frontend is normally coded in reactjs, vui, or angular while the backend is some sort of API.When the frontend talks to the API it has to send some sort of authentication information so the API knows which user is talking to it. If you're used to looking at older applications such as those coded in PHP you might be used to seeing cookies used to hold users authentication information. However, the vast majority of modern applications use JWT tokens which can be cracked if developers use a weak key.
I won't go too much into JWT tokens as there is already a lot of information out there but I would still like to cover some of the basics so you can get a quick understanding. According to Google a JWT (JSON Web Token) is a compact, encoded token used to securely transmit information between parties. It consists of a header, payload, and signature, and is commonly used for authentication and authorization in web applications. Basically what they are saying is JWT tokens are used to hold data about the user, this data is normally signed by the backend application so it cant be modified without knowing the secret password.
As you can see in the image above we have a JWT token. In this example the token is used to hold the users id,email, and role. If we can somehow craft our own JWT token we can input our own id,email,and role which can be used to authenticate as another user or role. Normally this is impossible to do as these token as signed using a secret password. However, as with any secret password sometimes people pick weak passwords that are easy to crack. If you can guess the secret password you can forge your own tokens, this basically allows you to login as any user you want.
When looking at the raw request you typically see these tokens being passed as a request header called “Authorization”. If you see that and a string starting with “ey” then you are probably dealing with a JWT token.
If you find a JWT token you should always run it through a password cracker such as hashcat. You would be surprised at the number of times I have completely owned an application because the developer used a weak password to sign their JWT tokens. It happens more often than you would expect. I have also noticed that with the rise of AI when it generates code for generating these token it always picks a weak password, if developers are copy pasting code then this could lead to a serious issue.
As shown in the image above we can see the code that generates these tokens. Take a close look at the “SECRET_KEY” , thats what we are trying to crack. If we can guess this key then we can forge our own JWT tokens thus allowing us to specify any email/role that we want and the backend API will accept it being valid.
Running the code will give you the following token:
Again in a real application you would find this by looking at the request headers for a header called “Authorization”, if it starts with “ey” then its probably a jwt token. You can verify this by pasting the token into https://jwt.io/ which will allow you to decode the token and see whats inside. If you want to modify the token you will need to know the secret key.
To crack the token we need to first copy it to a file for hashcat. After that pick a good wordlist such as rockyou.txt , run hashcat, and hope the developer used a weak password.
As you can see in the above hashcat output we were able to crack the JWT token. Now that we have the password used to sign the tokens we can easily forge our own tokens. This allows us to login as any user/role we want! If you find this you can consider it a critical finding because we can bypass authentication checks and take over any user we want.
Most modern day applications that use an API also use JWT tokens to hold user authentication information. After you login the API will give you a JWT token that has all of your users information. These tokens are signed using a secret password and if developers pick a weak password you can easily crack them. If you can crack the password then you can forge your own JWT token and take over any user on the platform. You would be surprised at the number of times I have seen this during a penetration test!
