Dec 172020
 

Recently I found a website that uses JWT Token and was using a weak (testing?) key to sign these. Funny, so I thought its worth writing about it.

JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties. You can easily spot them, because they always have this format:

header.payload.signature

for example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

If they are signed using a weak (guessable) secret you can create you own ones. If youre really into it then GPU cracking might be the way to go, but for a quick check I decided to run a CPU based python code found at https://github.com/AresS31/jwtcat