AP 102: Cracking a JSON Web Token Signature (20 pts extra)

What You Need

Purpose

To attack JSON Web Tokens with a dictionary attack.

Connecting to crAPI

Open Burp. Click the Proxy tab. Click the Intercept tab.

Click the "Intercept is on" button so it changes to "Intercept is off".

Click the "Open Browser" button.

In Burp's browser, go to

https://crAPI.samsclass.info The crAPI login page opens, as shown below.

Logging In

In Burp's browser, log in to crAPI with any account. If you don't have account credntials handy, click SignUp and create a new account.

Getting your Bearer Token

In Burp, on the Proxy tab, on the "HTTP history" sub-tab, click the "GET /identity/api/v2/user/dashboard" line.

In the lower pane, on the Request tab, you can see the Authorization line containing the Bearer token, highlighted in the image below.

Highlight the token and copy it to the Clipboard.

Using JWT.IO

In a Web browser, go to https://jwt.io/

Paste your token into the Encoded box.

On the right, side, in the Decoded section, notice these items, as shown below.

Getting Python 3

Open a Terminal or Command Prompt. Type python or python3 to see if you have Python 3 installed.

If you do, you'll see a Python 3 header, as shown below. Enter exit() to close the interactive Python session.

If you don't have Python 3, get it here:

https://www.python.org/downloads/

Preparing a Wordlist

Using Notepad or Nano, put these words into a plain text file named words.txt

Crapi2020
JWT
Jwt2020
Jwt2022
Jwt_2020
Jwt_2022
OWASP
Owasp2021
community
crAPI2020
crAPI2021
crAPI2022
crapi
crapi2022
iparc
iparc2020
iparc2021
iparc2022
iparc2023
jwt2020
owasp

Getting jwt_tool

Execute these commands. If you are using Windows, you won't have wget, and you'll need to use a Web browser to download the file.

python3 -m pip install termcolor cprint pycryptodomex requests
wget https://github.com/ticarpi/jwt_tool/raw/master/jwt_tool.py
python3 jwt_tool.py
python3 jwt_tool.py -h

Running the Attack

Execute this command, inserting your JWT token you copied from Burp instead of xxxxxxxxx:

python3 jwt_tool.py xxxxxxxxx -C -d words.txt

Flag AP 102.1: Secret Word (10 pts)

The flag is the correct key, covered by a green rectangle in the image below.

Forging a JWT

In the jwt.io page, enter the secret you found in the VERIFY SIGNATURE section.

In the PAYLOAD DATA section, change the email address to

pogba006@example.com

The page generates a new JWT in the Encoded box.

Your window should look like the image below:

Using the Forged Token

In Burp, on the HTTP History tab, click this request:

GET /identity/api/v2/user/dashboard

as shown below.

Right-click the request, and click "Send to Repeater".

On the Repeater tab, replace the Token with your forged token, as shown below.

Send the request.

Flag AP 102.2: Available Credit (10 pts)

The response appears in the lower pane.

The flag is Pogba's available credit, covered by a green rectangle in the image below.

Source

Hacking APIs

Posted 5-4-22
Video added 5-11-23
Project name changed 6-18-24