Tools on Ankit Maurya https://ankitmaurya.pages.dev/tags/tools/ Recent content in Tools on Ankit Maurya Hugo en Tue, 05 Mar 2024 00:00:00 +0000 JWT Security Analysis https://ankitmaurya.pages.dev/projects/jwt-analysis/ Tue, 05 Mar 2024 00:00:00 +0000 https://ankitmaurya.pages.dev/projects/jwt-analysis/ <p>Tools and techniques for analyzing JWT tokens for authentication vulnerabilities.</p> <h2 id="jwt-overview">JWT Overview</h2> <p>JSON Web Tokens (JWT) are commonly used for authentication but can introduce security issues if not implemented correctly.</p> <h2 id="common-vulnerabilities">Common Vulnerabilities</h2> <h3 id="algorithm-confusion-alg-none">Algorithm Confusion (alg: none)</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="c1"># Exploit: Change alg to &#34;none&#34; and remove signature</span> </span></span><span class="line"><span class="cl"><span class="n">header</span> <span class="o">=</span> <span class="p">{</span><span class="s2">&#34;alg&#34;</span><span class="p">:</span> <span class="s2">&#34;none&#34;</span><span class="p">,</span> <span class="s2">&#34;typ&#34;</span><span class="p">:</span> <span class="s2">&#34;JWT&#34;</span><span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="n">payload</span> <span class="o">=</span> <span class="p">{</span><span class="s2">&#34;sub&#34;</span><span class="p">:</span> <span class="s2">&#34;1234567890&#34;</span><span class="p">,</span> <span class="s2">&#34;role&#34;</span><span class="p">:</span> <span class="s2">&#34;admin&#34;</span><span class="p">}</span> </span></span></code></pre></div><h3 id="key-confusion-rs256-to-hs256">Key Confusion (RS256 to HS256)</h3> <p>If the server uses RS256 but the library accepts HS256 with the public key as the secret.</p> <h2 id="analysis-tools">Analysis Tools</h2> <ul> <li>JWT.io for manual inspection</li> <li>Custom Python scripts for batch analysis</li> <li>Burp Suite extension for runtime inspection</li> </ul> <h2 id="validation-checklist">Validation Checklist</h2> <ol> <li>Verify signature with correct algorithm</li> <li>Check token expiration (exp claim)</li> <li>Validate audience (aud claim)</li> <li>Ensure proper key management</li> <li>Use strong secret keys (256-bit minimum)</li> </ol> <h2 id="best-practices">Best Practices</h2> <ul> <li>Always validate algorithm expected by your application</li> <li>Use asymmetric algorithms (RS256) when possible</li> <li>Implement token rotation</li> <li>Set appropriate expiration times</li> </ul>