Working with JWTs in Burp Suite
In this section, we'll look at how you can use Burp Suite to test for vulnerable JWT implementations. You can also practice using these features with our deliberately vulnerable, interactive labs.
Depending on what you're trying to achieve, you may be able to use Burp's built-in features. However, we recommend installing the JWT Editor extension, which is available from the BApp Store. This provides a number of useful features that make it easier to work with JWTs and perform more sophisticated attacks. These include:
-
Automatic highlighting of any requests in the proxy history that contain JWTs.
-
An additional tab that lets you generate or upload cryptographic keys in a variety of formats.
-
An additional message editor tab that lets you view and edit the JWT header and payload in raw, unencoded JSON.
-
A feature for signing modified JWTs directly within Burp Repeater.
Viewing the contents of JWTs
If you just want to view the contents of a JWT in raw JSON form, you can simply select either the header or payload parts of the token in the message editor. You can then view the automatically decoded values in the Inspector panel.
Note
Unfortunately, the Inspector cannot currently decode both the header and payload at the same time. You need to select either one or the other.
Editing the contents of JWTs
When editing JWTs, we recommend using the JWT Editor extension. After loading the extension, simply open a request containing a JWT in Burp Repeater, then switch to the extension-generated JSON Web Token message editor tab.
You can then use the corresponding Header and Payload fields to edit the JSON data.
Note
You can also make changes like this using the Inspector. However, this is only suitable in cases where you are able to bypass signature verification altogether. The extension provides additional features for re-signing the token after you modify it.
Adding new signing keys
In most cases, after modifying a JWT, you need to re-sign it using the correct key so that the signature corresponds to the new values in the header and payload. For simplicity, we recommend using the JWT Editor extension for this process.
The JWT Editor extension can only sign tokens using keys that you have added to its key store. You can either upload keys that you have obtained already, or use the built-in features for generating a brand new key.
To add a new key to the JWT Editor's key store:
-
Switch to the extension-generated JWT Editor Keys tab in Burp's main tab bar.
-
On the right of the screen, click the relevant button for type of key that you want to add, for example, New RSA Key.
-
In the dialog, you have the following options:
-
Click Generate to automatically create a brand new key of the selected length.
-
Paste an existing key. Depending on the type of key, you may be able to toggle between JWK and PEM representations. This also provides an easy way to convert between the two formats.
-
-
Click OK. The key is saved to the extension's key store, which you can access from the JWT Editor Keys tab.
Once you have added keys to the key store, you can use them to sign JWTs in Burp Repeater. Alternatively, you can copy the keys to your clipboard by right-clicking on them and selecting the relevant format.
Signing JWTs
To sign a JWT using the JWT Editor extension:
-
Add a suitable key to the extension's key store.
-
In Burp Repeater, use the JSON Web Token message editor tab to modify the JWT header and payload.
-
At the bottom of the screen, click Sign.
-
In the dialog, select the relevant signing key from the extension's key store.
-
If necessary, select the signing algorithm that you want to use. This is normally updated automatically based on the type of key that you select, but you may want to modify this when performing algorithm confusion attacks. You also have options for automatically updating some of the JWT headers.
-
Click OK. The JWT in the request is replaced with your modified one.
Labs
You can practice using these features by completing our interactive JWT labs.
