Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

開源資安工具 – 輕鬆破解JWT token – jwt-cracker

回想一下,JWT HS256 是使用Secret計算的。計算的確切格式是

HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

因此,有理由認為,由於我們擁有完整的 jwt token,以及標頭和有效載荷,因此可以通過暴力破解來獲取完整的 JWT 令牌。如果這個secret可以被暴力破解,那麼攻擊者就可以簽署他自己的 JWT token。

為了暴力​​破解這些秘密,我們將使用一個名為jwt-cracker的工具。jwt-cracker 的語法是jwt-cracker <token> [alphabet] [max-length]字母表和最大長度是可選參數。

參數說明:

TokenThe HS256 JWT token
Alphabet破解者用於檢查密碼的字母表(默認:“abcdefghijklmnopqrstuvwxyz”)
max-length秘密的最大預期長度(默認為 12)

安裝

npm install --global jwt-cracker

練習

試著破解這個JWT token吧!

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.it4Lj1WEPkrhRo9a2-XHMGtYburgHbdS5s7Iuc1YKOE

利用這套工具,我們只用20秒就破且取得secret了。

Back To Top
error: 內容被保護 !!
Buy Me A Coffee
歡迎贊助 sectools.tw 讓這個網站更好~!