Juno is a burp extension to attack JWT tokens quickly and easily.
JWTs have a signature which can be verified server-side, rendering forging a JWT impractical.
However, a JWT has the signature verification algorithm specified in its own header section.
A vulnerable server tends to accept none
as a valid option and hence bypass signature verification.
To check whether APIs on vulnerable.com are vulnerable to the above attack, one would have to:
- Log in to vulnerable.com
- Extract the JWT
- Split the JWT
- Decode the header section of the JWT (base64 decode)
- Replace the
alg
parameter value withnone
- Encode the header section back (base64 encode)
- Rejoin the JWT
- Send a request with the forged token
- See if it was successful
- Repeat steps 5 through 7 with
None
,NONE
,nONE
and so on.
Juno performs everything above (except step 0) for you.
- JDK 17+
git clone https://github.com/KeyValueSoftwareSystems/juno.git
cd juno
./gradlew build
The target jar file can be found in ./lib/build/libs
Follow these steps to install Juno from a JAR file onto Burp suite:
1. Go to Extensions > Installed and click Add. 2. Under Extension Details, click Select file and locate the ```jar``` file. 3. Click Next. 4. Wait for the extension to install. Notice that the extension is now listed in the Installed tab.
- Pick a request with a JWT in it.
- Send it to Juno.
- Click on Auto §
- Click on Start attack to launch the attack & hope for the best!
- If needed, Add § and Clear§ can be used to manually select the JWT token and clear the selection respectively.
- If time is of the essence, increase the number of threads for faster execution.
This project is licensed under the terms of the Apache Licence 2.0, as mentioned in the COPYING
file in the root directory.
- JSON Web Tokens (JWTs): jwt.io
- Installing extensions: Portswigger