JWT: jku x5u

JWT jku&x5u = ❤
Attacking JSON WEB TOKENS…
Louis Nyﬀenegger
@PentesterLab
louis@pentesterlab.com

About me
PentesterLab.com / @PentesterLab
Security Engineer
PentesterLab:
Pentester/Code Reviewer/Security consultant/Security architect
Platform to learn web security/penetration testing
100% Hands-on
Available for individuals (free and PRO) and enterprises
Run a website to help people learn security

Who uses JWT?
• A lot of people for OAuth2
• A lot of people for sessions
• A lot of people to manage trust
• A lot of people for password reset
• A lot of people who care about being stateless
and multi-datacenter architecture

Signature vs Encryption
Encryption gives you conﬁdentiality
Signature gives you integrity

Multiple ways of signing
• With a secret using HMAC
• With a private key using RSA/EC/… (asymmetric)

Signing with a secret
Sign! Verify!
Secret

Signing: asymmetric
Sign!
PrivatePublic
Verify!

JavaScript Object Notation (JSON)
Human readable format to store or transmit objects

The Compact JWS Format
Header Payload Signature
3 parts in a JSON Web Token:

Header Payload Signature
Separated by a dot
. .

eyJ0eXAiOiJK
V1QiLCJhbGci
OiJIUzI1NiJ9
eyJsb2dpbi
I6ImFkb
WluIn0
FSfvCBAwypJ4abF6
jFLmR7JgZhkW674
Z8dIdAIRyt1E
Separated by a dot
. .
eyJ = Base64('{"')

Base64({…}) Base64({…}) Base64(…)
Header and Payload are base64* encoded JSON
. .
* urlsafe base64 encoding without padding
The signature is also base64 encoded

The Compact JWS Format: Encoding
Urlsafe base64 encoding without padding:
*https://tools.ietf.org/html/rfc7515#appendix-C

The JWT Format: header
Base64({"alg": "HS256",
"typ": "JWS"})
The header contains an algorithm “alg” attribute:
In this example HMAC with SHA256 was used
To tell how the token was signed.
…
. . …

The JWT Format: Algorithms
A lot of different algorithms are supported*:
None
* https://jwt.io/ covers most
HS256
HS384
HS512
RS256
RS384
RS512
ES256
ES384
ES512
PS256
PS384
PS512

The JWT Format: payload
…
The payload may contain literally anything:
Base64({"user":"admin",
"roles": ["adm","users"]}). . …

The JWT Format: payload
The payload may contain registered claims:
Base64({"user":"admin",
"exp":12…, "iat":1234.. }). .… …

The JWT Format: creating a token
• Create the JSON header and base64 encode it
• Create the JSON payload and base64 encode it
• Concatenate with a dot the (encoded) header
and payload
• Sign the result (header+.+payload)
• Base64 encode the signature
• Append a dot then the signature

The JWT Format: verifying a token
• Split the token in three parts based on the dots
• Base64 decode each part
• Parse the JSON for the header and payload
• Retrieve the algorithm from the header
• Verify the signature based on the algorithm
• Verify the claims

Classic JWT attacks
• None algorithm
• Trivial secret
• Algorithm confusion
• Injection in the kid parameter
• CVE-2018-0114
•

jku and x5u
• If you read some of the JWS RFC, you probably
learnt about jku and x5u parameter for the headers
• People are starting to use jku (JWK URL)

The JWT Format: jku&x5u
Base64({"jku": "https://...",
...})
…
. . …
Base64({"x5u": "https://...",
...})
…
. . …

The JWT Format: jwk
{
"keys": [
{
"kty": "RSA",
"use": "sig",
"kid": "pentesterlab",
"n": "oTtAXRgdJ6Pu0jr3hK3opCF5uqKWKbm4Kkq...vTF0FGw",
"e": "AQAB",
"alg": "RS256"
}
]
}

The JWT Format: x5c
{
"keys": [
{
"kty": "RSA",
"use": "sig",
"kid": "pentesterlab",
"x5c": "MIIDWDCCAkACCQCnE....fpye27SQbC2fBxebsek=",
"alg": "RS256"
}
]
}

jku and x5u
Application
Trusted
Server
User

Application
Trusted
Server
User
HTTP Request with JWT1
jku and x5u

Application
Trusted
Server
User
HTTP Request with JWT Parsing of the JWT to extract the “jku” header1 2
jku and x5u

Application
Trusted
Server
User
3 Fetching of the JWK based on the “jku” header
jku and x5u

Fetching of the JWK based on the “jku” header
Application
Trusted
Server
User
3
Parsing of the JWK4
jku and x5u

Application
Trusted
Server
User
3
Parsing of the JWK4
Verifying the JWT signature using the JWK5
jku and x5u

Application
Trusted
Server
User
HTTP Request with JWT Parsing of the JWT to extract the “jku” header
Response
1
6
2
3
Parsing of the JWK4
jku and x5u

jku and x5u
Application
Malicious
Server
HTTP Request with malicious JWT Parsing of the JWT to extract the “jku” header
Response
1
6
2
3
Parsing of the JWK4
Attacker
Fetching of the malicious JWK based on the “jku” header

jku and x5u
Application
Malicious
Server
HTTP Request with malicious JWT Parsing of the JWT to extract the “jku” header1 2
3
Attacker
Fetching of the malicious JWK based on the “jku” header

jku and x5u
Turns out ﬁltering URLs is incredibly hard

jku and x5u : regular expression
https://trusted.example.com => https://trustedzexample.com

jku and x5u : starts with
https://trusted => https://trusted@pentesterlab.com
https://trusted/jwks/ => https://trusted/jwks/../ﬁle_uploaded
https://trusted/jwks/ => https://trusted/jwks/../open_redirect
https://trusted/jwks/ => https://trusted/jwks/../header_injection

Parsing of the JWT to extract the “jku” header2
Application
Trusted
Server
HTTP Request with malicious JWT1
Malicious
Server
Attacker
jku and Open Redirect

Application
Open Redirect
Trusted
Server
Malicious
Server
Attacker

Application
Open Redirect
Trusted
Server
3a Redirect to malicious server
Malicious
Server
Attacker

Application
Open Redirect
Trusted
Server
3b Fetching of the malicious JWK
after following the redirect
Malicious
Server
Attacker

Application
Open Redirect
Trusted
Server
3
Parsing of the JWK4
Malicious
Server
Attacker

Application
Open Redirect
Trusted
Server
3
Parsing of the JWK4
Verifying the JWT signature using the malicious JWK5
Malicious
Server
Attacker

Application
Trusted
Server
Attacker
jku and Header Injection

Application
Header Injection
Trusted
Server
Header Injection
Attacker
Application
Header Injection
Trusted
Server
Header Injection
Attacker

Application
Header Injection
Trusted
Server
3a The jku uses the header injection
to reﬂect the jwk in a response
Header Injection
Attacker

Application
Header Injection
Trusted
Server
3
Parsing of the JWK4
Header Injection
Attacker

Application
Header Injection
Trusted
Server
3
Parsing of the JWK4
Verifying the JWT signature using the
JWK from the header injection
5
Header Injection
Attacker

Libraries: jku header injection - Exploitation
Exploitation:
• Find a Header Injection
• Use the Header Injection to return
your JWK
• Add the Header Injection as jku
• Sign the token with your RSA key

jku and x5u: downgrade
• The RFC calls out enforcing TLS to avoid MITM
• Few implementations get it wrong:
Enforcing when you set the value
vs
Enforcing when you fetch the key

Recommendations
✓ Use strong keys and secrets
✓ Don’t store them in your source code
✓ Make sure you have key rotation built-in

Recommendations
✓ Review the libraries you pick (KISS library)
✓ Make sure you check the signature
✓ Make sure your tokens expire
✓ Enforce the algorithm

Recommendations
✓ Test for x5u and jku
✓ Don't burn Open Redirect
✓ Read RFC
✓ Hack all the things!

Conclusion
• JWT are complex and kind of insecure by design
(make sure you check https://github.com/paragonie/paseto)
• JWT libraries introduce very interesting bugs
• Make sure you test for those if you write code,
pentest or do bug bounties

Any questions?
FOR YOUR TIME !
THANKS
louis@pentesterlab.com / PentesterLab.com / @PentesterLab

JWT: jku x5u

More Related Content

What's hot (20)

Similar to JWT: jku x5u (20)

More from snyff (10)

Recently uploaded (20)

JWT: jku x5u