testing-jwt-token-security

# Testing JWT Token Security ## When to Use - During authorized penetration tests when the application uses JWT for authentication or authorization - When assessing API security where JWTs are passed as Bearer tokens or in cookies - For evaluating SSO implementations that use JWT/JWS/JWE tokens - When testing OAuth 2.0 or OpenID Connect flows that issue JWTs - During security audits of microservice architectures using JWT for inter-service authentication ## Prerequisites - **Authorization**: Written penetration testing agreement for the target - **jwt_tool**: JWT attack toolkit (`pip install jwt_tool` or `git clone https://github.com/ticarpi/jwt_tool.git`) - **Burp Suite Professional**: With JSON Web Token extension from BApp Store - **Python PyJWT**: For scripting custom JWT attacks (`pip install pyjwt`) - **Hashcat**: For brute-forcing HMAC secrets (`apt install hashcat`) - **jq**: For JSON processing - **Target JWT**: A valid JWT token from the application ## Workflow ### Step 1: Decode and Analyze the JWT Structure Extract and examine the header, payload, and signature components. ```bash # Decode JWT parts (base64url decode) JWT="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c" # Decode header echo "$JWT" | cut -d. -f1 | base64 -d 2>/dev/null | jq . # Output: {"alg":"HS256","typ":"JWT"} # Decode payload echo "$JWT" | cut -d. -f2 | base64 -d 2>/dev/null | ...