Automating OAuth 2.0 / JWT token retrieval for pentests

JSON Web Tokens

A JSON Web Token (JWT) is basically a string, representing a collection of one or more claims. Claims are name/value pairs which state information about a user or subject. The claims are either signed using a JSON Web Signature (JWS) or encrypted using JSON Web Encryption (JWE). JSON Web Tokens serve as self-contained authorization tokens, represented using JWS or JWE compact serialization.

A token string consists of a header, payload and optional signature, all base-64 encoded and separated by a dot. An example in python using python-jwt is

# The namespace has changed from jwt to python_jwt from version 2.0.1
import python_jwt as jwt
token = jwt.generate_jwt({'name':'value'}, None, 'none')
print(token)

Output:

eyJhbGciOiAibm9uZSIsICJ0eXAiOiAiSldUIn0.eyJpYXQiOiAxNDY2NDY5NDU5LCAianRpIjogIkE2RDVMOGRyV0VjREdhMTNnRW5lU3c9PSIsICJuYW1lIjogInZhbHVlIiwgIm5iZiI6IDE0NjY0Njk0NTl9.

The first part contains the header, declaring that the encoded object is a JWT, and that the payload is a JWT having no encryption/signature (note that I add some base64 padding for null bytes, as the base64 library mandates this):

import base64
header = 'eyJhbGciOiAibm9uZSIsICJ0eXAiOiAiSldUIn0'
padded_header = header + '=' * (-len(header) % 4)
print(base64.b64decode(padded_header))

Output:

{"alg": "none", "typ": "JWT"}

The payload decodes to another JSON object, containing the claims, and some other items (issue time iat , unique identifier jti and not before time nbf ):

import base64
payload = 'eyJpYXQiOiAxNDY2NDY5NDU5LCAianRpIjogIkE2RDVMOGRyV0VjREdhMTNnRW5lU3c9PSIsICJuYW1lIjogInZhbHVlIiwgIm5iZiI6IDE0NjY0Njk0NTl9'
padded_payload = payload + '=' * (-len(payload) % 4)
print(base64.b64decode(padded_payload))

{"iat": 1466469459, "jti": "A6D5L8drWEcDGa13gEneSw==",
"name": "value", "nbf": 1466469459}

In this instance, the claim consists of 'name' = 'value'.

The last part, the signature is empty, as I chose 'none' as signature algorithm, which resulted in an unsecured JWT.

OAuth 2.0

OAuth is a framework used for authentication: Say user U wants to use API A. To use the API a user has to be authorized by domain D, the so-called Authorization Endpoint.

First the user logs onto the Authorization Endpoint using valid credentials (for example a valid username/password), and asking permission to access API A. If the domain authorizes user U to use the API, it can hand out an authorization code to the user. The user is then redirected to the Redirect Endpoint (usually the API).

This again redirects the user to the Token Endpoint (usually again Domain D), after which the authorization server hands out the token, containing a claim that user U is validated by domain D to use API A.

Now when user U wants to access API A, it sends along a Authorization: Bearer HTTP header, accompanied by the token. In this case, the token was a JSON Web Token.

The next automation step for the script could be that valid tokens are automatically generated, used or renewed by the attack proxy (Burp Suite Pro in my case). Due to a lack of time this hasn't been done during that particular pentest: It's always a fine line when automating pentests still makes sense versus 'manual' testing.

You can find the script at https://github.com/radicallyopensecurity/pentesting-scripts/blob/master/apiborker.py.

Feedback, improvements and especially pull requests are always welcome.

See https://tools.ietf.org/html/rfc7519 for more information on JSON Web Tokens, https://tools.ietf.org/html/rfc7797 for more information on JSON Web Signatures (JWS) and http://oauth.net/2/ on OAuth2.