Weak JWT HMAC secrets are like leaving your front door key under the mat—easy for attackers to find and exploit. In today’s applications, JWTs are everywhere, handling everything from logging in users to securing API calls. But when those tokens are signed using weak secrets, the security they’re supposed to provide crumbles.

In this article, you'll understand the real-world dangers of weak JWT HMAC secrets, showing how attackers can not only take over other users' accounts but also escalate their privileges to gain admin access and even keep their foothold indefinitely by messing with token expiration times. If you’re developing or securing apps, understanding these risks is crucial to keeping your systems safe.

What Are JWT Tokens?

JSON Web Tokens (JWTs) are a popular method for transmitting information securely between parties as a JSON object. JWTs are compact, self-contained, and can be signed to verify the integrity and authenticity of the information they carry. They are commonly used for authentication, allowing users to prove their identity without needing to send credentials repeatedly.

A JWT consists of three parts:

1. Header: Contains metadata about the type of token and the signing algorithm being used (e.g., HMAC SHA-256).

2. Payload: Holds the claims or the actual data being transmitted, such as user ID, role, and expiration time.

3. Signature: Created by combining the encoded header, payload, and a secret key using the algorithm specified in the header. This signature ensures that the token hasn’t been tampered with.

HMAC Signing Keys play a crucial role in the JWT's security. The HMAC (Hash-based Message Authentication Code) algorithm combines the data (header and payload) with a secret key to generate a unique signature. If the key is strong, it’s extremely difficult for an attacker to forge the signature and manipulate the token.

However, if the HMAC secret key is weak—such as being too short, predictable, or commonly used—an attacker can easily crack it and generate valid tokens with manipulated data, leading to severe security breaches.

Analyzing JWT Tokens

Here’s a sample JWT token to illustrate its structure:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJDaGlvbWEgSWJlYWthbm1hIiwiaWF0IjoxNzI1MTUwMzk2LCJleHAiOjE3MjUyMzY3OTYsImF1ZCI6Imh0dHBzOi8vY2hpb21haWJlYWthbm1hLmhhc2hub2RlLmRldi8iLCJzdWIiOiJFeHBsb2l0aW5nIFdlYWsgSldUIEhNQUMgU2VjcmV0cyIsInVzZXJfaWQiOiIxMjM0IiwiUm9sZSI6InVzZXIifQ.-hmAXkpIFEBTdJHIwfn92FtmCvQ-oMROAtynbT70-ds

My go-to tool for decoding JWTs is jwt.io. Just paste in the token and it decodes it for you.

Cracking the JWT HMAC Secret with Hashcat

Hashcat is a powerful and versatile password-cracking tool that can also be used to crack HMAC secrets by leveraging advanced hashing algorithms and brute-force techniques.

To crack the JWT HMAC secret, copy the JWT token into a text file, say jwt.txt

Use the following command to start cracking the HMAC secret with Hashcat:

hashcat -m 16500 -a 0 jwt.txt wordlist.txt

Here’s what each part of the command does:

• -m 16500: Specifies the mode for HMAC-SHA (replace with the correct mode based on your HMAC algorithm, such as 16500 for HMAC-SHA256).

• -a 0: Indicates a straight attack mode where Hashcat tries each word from the wordlist.

• jwt.txt: Your file containing the JWT signature in binary format.

• wordlist.txt: The wordlist file containing potential HMAC secrets. A good wordlist is rockyou.txt.

Within seconds or minutes, Hashcat successfully cracks the JWT secret, exposing the weak HMAC key: my_secret_key_12345

Cracking Weak JWT HMAC with Burp Suite

Burp Suite automatically cracks JWT secrets during interception by brute-forcing the signature with a list of common weak secrets for every JWT observed in your traffic. This process is performed offline, without sending any requests to the server.

Exploiting Weak JWT HMAC Secrets

Once a weak JWT HMAC secret is identified, it can be exploited in several ways to compromise the security of a system. Here’s how an attacker might use the weak secret to escalate privileges or maintain unauthorized access:

Account Takeover

With the weak HMAC secret, attackers can forge JWT tokens to impersonate other users. By crafting a new token with the compromised secret, they can modify the payload to include the user ID of another account, gaining unauthorized access to that account’s privileges.

An attacker obtains the secret and generates a token with a payload that changes the user_id to that of another user. This forged token is then used to access the admin account and carry out different unauthorised actions without any restrictions.

Privilege Escalation

By exploiting the weak HMAC secret, attackers can alter the role or other claims in the JWT payload to escalate their privileges. For instance, changing a user role from user to admin in the token can grant the attacker elevated access rights to restricted admin functionalities.

Extending Token Expiration

Attackers can also increase the token’s expiration time to prolong their unauthorized access. By modifying the exp claim in the JWT payload, they ensure that the token remains valid for a longer period, circumventing any short-lived token policies.

For example, the attacker changes the exp claim to a far-future date, keeping the token valid indefinitely and maintaining access without ever needing to re-authenticate. This gives the attacker extended access to any user's account without needing the password.

How to Secure Your JWT HMAC Secrets

Here are two tips to keep your JWT HMAC secrets safe and sound:

Use Strong Secrets

Make sure your JWT secrets are long, random, and tough to crack. Aim for secrets with at least 256 bits of randomness. You can use a secure random generator or key management tools to create these secrets.

Rotate Secrets Regularly

Change your secrets often to reduce the risk if one gets compromised. Set up a rotation schedule so that old secrets are phased out and new ones are used.

By following these tips, you can keep your JWTs secure and avoid falling victim to attacks.