未加星标

ZeroMQ & Node.js Tutorial - Cracking JWT Tokens (Part 1.)

字体大小 | |
[前端(javascript) 所属分类 前端(javascript) | 发布者 店小二03 | 时间 2016 | 作者 红领巾 ] 0人收藏点击收藏

This article teaches you how to build a distributed application with ZeroMQ and Node.js by developing an exciting sample project: a brute-force cracker for JWT tokens.

This is a two-part story - this first post will focus on theory, and the second one is about coding. You’ll get to know ZeroMQ, how JWT tokens work and how our application can crack some of them! Be aware, that the application will be intentionally simple. I only want to demonstrate how we can leverage some specific patterns.

What is ZeroMQ

ZeroMQ (also known as MQ , 0MQ , or zmq ) is an open source embeddable networking library and a concurrency framework built in C++. It is available for many platforms and programming languages (including Node.js). The goal of ZeroMQ is providing developers with a foundation of network utilities that can be easily used across systems with heterogeneous architectures. ZeroMQ provides sockets that can carry atomic messages across various transport layers like in-process, inter-process, TCP, and multicast.

And in case you are wondering why it is called "Zero"...

The in ZeroMQ is all about tradeoffs. On the one hand this strange name lowers ZeroMQ's visibility on Google and Twitter. On the other hand it annoys the heck out of some Danish folk who write us things like "MG rtfl", and " is not a funny looking zero!" and "Rdgrd med flde!", which is apparently an insult that means "may your neighbours be the direct descendants of Grendel!" Seems like a fair trade.

For more info, you can read the The ZeroMQ official guide .

Building a JWT token cracker with ZeroMQ and Node.js

In the course of this article, we are going to build a functional distributed application: a JWT token cracker.

If you know what JWT tokens are and how they work feel free to skip this section, otherwise you are going to need a bit of theory here...

JSON Web Token (JWT) is an open standard ( RFC 7519 ) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA.

If you need more, read the introduction to JWT page.

JWT is often used as a mechanism to enforce authentication and authorization in websites and APIs, so being able to "crack" one of these tokens might mean gaining access to sensitive information or being able to impersonate a particular user on a given system.

But what do we really mean with "cracking" a JWT token?

In order to really understand this question we need to know how a JWT token is composed.

A typical JWT token is a string composed by 3 parts (separated by a "."): the header , the payload and the signature .

To have a visual cue about how it looks like, take the following token as an example:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

"A typical JWT token is a string with 3 parts: header, payload & signature." via @RisingStack @loige #nodejs

The header

The header, also called JOSE header (JSON Object Signing and Encryption header), contains some metadata that describes which algorithm is used for signature and/or encryption. If we use base64 to decode the header in our example token we will get the following JSON string (properly beautified for your convenience):

{ "alg": "HS256", "typ": "JWT" }

The most common algorithms available are HS256 (HMAC signature) and RS256 (RSA public/private key pair signature).

In our application we will focus on cracking only HS256-based tokens.

The payload

The payload is the most important part of the token, because it is the one that actually contains the information exchanged between the parties.

In our example, the decoded payload (using base64) is the following JSON string:

{ "sub": "1234567890", "name": "John Doe", "admin": true }

The payload can contain virtually any kind of data that can be serialized to a JSON string. In this case it's fairly obvious that the token is used to exchange the information about the user that is currently logged in.

This should ring a bell (a malicious one). What if we could alter the payload of this token at our convenience? Yes, in this particular use case we might be able to impersonate another user or to obtain access to resources that might be restricted to our regular user.

The signature

Of course JWT has a mechanism to avoid people to easily forge their own tokens: the signature.

The signature, which is the third and last part of the token, can be (in theory) generated only by the token issuer authority, for example by an authentication server.

Every time the issuer needs to verify the authenticity of a previously generated JWT token, it simply calculates again the signature for the given header and payload. If it matches the original signature contained in the token, it can safely assume that the token is authentic and not maliciously forged.

As we said, we can have different signature algorithms. In case of HS256 the algorithm to calculate the signature is the following:

HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), <password> )

As you can see the function HMACSHA256 is used to generate a hash-based signature. This function accepts two arguments: a string consisting of the encoded header and payload separated by a dot and a password (also known as secret ).

So the password is what actually protects tokens from being forged, and it must be accessible only to the issuer authority. If the password is disclosed, a malicious attacker will be able to forge a token with an authentic signature and the issuer authority will not be able to distinguish forged tokens from authentic ones anymore.

Our application will use a brute force approach to try to find out the password. Given a specific token, it will be able to try any possible combination of characters over a specific alphabet and check if the resulting string is the valid secret for the token signature. If we are successful we can then use the discovered password to sign tokens that contains information that we can alter at our own will.

Are JWT tokens safe to use?

That's probably what you are asking yourself right now...

My personal answer to this question is " definitely YES "!

The weakness that we are trying to exploit here is the same that every password-based system has: passwords can be guessed or be subjected to brute force attacks!

So it's your responsibility to choose strong passwords in order to protect the signature of your JWT tokens from

本文前端(javascript)相关术语:javascript是什么意思 javascript下载 javascript权威指南 javascript基础教程 javascript 正则表达式 javascript设计模式 javascript高级程序设计 精通javascript javascript教程

主题: Node.jsC++Twitter
分页:12
转载请注明
本文标题:ZeroMQ &amp; Node.js Tutorial - Cracking JWT Tokens (Part 1.)
本站链接:http://www.codesec.net/view/481765.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 前端(javascript) | 评论(0) | 阅读(24)