Day 22 comes with attacks to Json Web Token and API Testing!
Attacking Json Web Token
1. Sensitive Information leak in Payload
From Rajesh Ranjan. As the payload is transmitted in plaintext format, it may contain some sensitive information sometimes. You can use any online decoder to decode the JWT as it is encoded in base64.
2. Changing the Algorithm to None
JWT uses HMAC or RSA to prevent the data tempering with it. In the header section, we can found that which algorithm was used to sign the JWT, which typically looks like:
"alg": "HS256", "typ": "JWT"
“alg” field indicates which algorithm was used to sign the JWT. In some cases, we can change the algorithm to none.
There are several things to do at the time of testing an API, it also depends if it is a black box testing or a whitebox testing, but for some of them they follow the following:
- Try to find plenty of endpoints as possible.
People can brute force the endpoints with the following the list from seclists called common-api-endpoints-mazen160.txt. Also they can look for the proxy history in BurpSuite, or inspec JS files with JSParser.
- Read the Documentation
If you’re testing an API and they provide documentation, it is important to read it because they provide the funcionality of the API and its capabilities. Besides that, there is a great chance to check security flows and information left in the documentation.
- Try all methods
Methods such as GET, POST, PUT, PATCH, DELET, QWE can provide error inputs with interesting information about third parties and the taret server.
- Look for ID values related to the organization
By creating multiple accounts, there is a great chance to see the capabilities and securities that the target has related to IDORs.