x0prc's notes

Classic Auth Attacks

3 min read

Passw Brute Force

  • Mentalist

  • Common User Passwords Profiler (CUPP)

  • wfuzz

    wfuzz -d '{"email":"a@email.com","password":"FUZZ"}' --hc 405 -H 'Content-Type: application/
json' -z file,/home/hapihacker/rockyou.txt http://192.168.195.130:8888/api/v2/auth

MFA and Reset Attacks

  • Leverage the brute forcer payload type in BurpSuite.
  • Equivalent attack using Wfuzz with brute-force options

Passw Spraying

  • In Burp Suite’s Intruder, set up this attack in a similar manner to the standard brute-force attack, except use both a list of users and a list of passwords.

Including Base64 Auth

  • The password and email values are base64 encoded.
  • Decode them by highlighting the payload, right-clicking, and selecting Base64-decode (or the shortcut CTRL-SHIFT-B). This will reveal the payload so that you can see how it is
    formatted.

Forging Tokens

  • Burp Suite’s Sequencer provides two methods for token analysis:
    • manually analyzing tokens provided in a text file.
      • Sequencer requires a minimum of 100 tokens to perform a basic analysis, which includes a bit-level analysis, or an automated analysis of the token converted to sets of bits.
    • performing a live capture to automatically generate tokens.
      • In addition to performing an entropy analysis, Burp Suite will provide
        you with a large collection of tokens, which could be useful for evading
        security controls

JSON Web Token Abuse

Recognizing JWTs

In the following JWT, the header and payload will normally begin with ey:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJoYWNrYXBpcy5pbyIsImV4cCI6IDE1ODM2Mzc0ODgsInVz
ZXJuYW1lIjoiU2N1dHRsZXBoMXNoIiwic3VwZXJhZG1pbiI6dHJ1ZX0.1c514f4967142c27e4e57b612a7872003fa6c
bc7257b3b74da17a8b4dc1d2ab9

Analysing JWTs

jwt_tool eyghbocibiJIUZZINIISIRSCCI6IkpXUCJ9.eyIzdW1101IxMjMENTY3ODkwIiwibmFtZSI6ImhBuEkg
SGFja2VyIiwiaWFQIjoxNTE2MjM5MDIyfQ.IX-Iz_e1CrPrkel FjArExaZpp3Y2tfawJUFQaNdftFw
  • Playbook Scan in jwt_tool
$ jwt_tool -t http://target-site.com/ -rc "Header: JWT_Token" -M pb

None Attack

  • If you ever come across a JWT using “none” as its algorithm.

  • After decoding the token, you should be able to clearly see the header, payload, and signature.

  • Once you’ve edited the payload, use Burp Suite’s Decoder to encode
    the payload with base64; then insert it into the JWT.

  • Importantly, since the algorithm is set to “none”, any signature that was present can be removed.

Algorithm Switch Attack

  • One of the first things you should attempt is sending a JWT without including the signature. This can be done by erasing the signature altogether and leaving the last period in place.
  • If this isn’t successful, attempt to alter the algorithm header field to “none”. Decode the JWT, updating the “alg” value to “none”, base64-encode the header, and send it to the provider.
  • Can use JWT_Tool to create a variety of tokens with the algorithm set to “none”
$ jwt_tool <JWT_Token> -X a

The JWT_Tool can make this attack a bit easier. It uses the format jwt_tool <JWT_Token> -X k -pk public-key.pem

JWT Crack Attack

  • The JWT Crack attack attempts to crack the secret used for the JWT signature hash, giving us full control over the process of creating our own valid JWTs.
  • JWT_Tool can still test 12 million passwords in under a minute.
jwt_tool <JWT Token> -C -d /wordlist.txt

Graph View