search

blacklanternsecurity / bbot

A recursive internet scanner for hackers.
https://www.blacklanternsecurity.com/bbot/
GNU General Public License v3.0
4.02k stars 370 forks source link

Modile jwt_tool to check for jwts with certain CVE issues? #1443

Open random-robbie opened 3 weeks ago

random-robbie commented 3 weeks ago

Description Which feature would you like to see added to BBOT? What are its use cases?

https://github.com/ticarpi/jwt_tool

it would be cool to see if you could implement this module to scan for

(CVE-2015-2951) The alg=none signature-bypass vulnerability (CVE-2016-10555) The RS/HS256 public key mismatch vulnerability (CVE-2018-0114) Key injection vulnerability (CVE-2019-20933/CVE-2020-28637) Blank password vulnerability (CVE-2020-28042) Null signature vulnerability

currently the system can extract JWT tokens so if it was to run something like

python3 jwt_tool.py eyJxxxx -t https://www.example.com it could then see if the JWT had anything fun inside or was vuln to an attack

domwhewell-sage commented 3 weeks ago

I like this idea, It's been a while since I've used jwt_tool but I'm not sure how much is possible offline... In order to use the -M pb option in jwt_tool the parameters and endpoint would have to be known which might not necessarily be the case.

That being said even offline we can decode the JWT and check if it has any sensitive information inside and I would also like it to flag up tokens with a higher priority if they haven't expired

TheTechromancer commented 3 weeks ago

not sure how much is possible offline...

This is the main issue. In order to test most of these CVEs, you'd need to have:

1) A legitimate JWT that you got from logging in (not just visiting the page) 2) A way to send each of the crafted JWTs and analyze the server's responses to see whether it's vulnerable

Both of these are difficult to automate.