1. Web Security Academy
  2. JWT attacks
  3. Working with JWTs in Burp Suite

Working with JWTs in Burp Suite

In this section, we'll look at how you can use Burp Suite to test for vulnerable JWT implementations. You can also practice using these features with our deliberately vulnerable, interactive labs.

Depending on what you're trying to achieve, you may be able to use Burp's built-in features. However, we recommend installing the JWT Editor extension, which is available from the BApp Store. This provides a number of useful features that make it easier to work with JWTs and perform more sophisticated attacks. These include:

Viewing the contents of JWTs

If you just want to view the contents of a JWT in raw JSON form, you can simply select either the header or payload parts of the token in the message editor. You can then view the automatically decoded values in the Inspector panel.

Viewing the contents of a JWT in the Inspector

Note

Unfortunately, the Inspector cannot currently decode both the header and payload at the same time. You need to select either one or the other.

Editing the contents of JWTs

When editing JWTs, we recommend using the JWT Editor extension. After loading the extension, simply open a request containing a JWT in Burp Repeater, then switch to the extension-generated JSON Web Token message editor tab.

Editing the contents of a JWT in the JWT Editor extension

You can then use the corresponding Header and Payload fields to edit the JSON data.

Note

You can also make changes like this using the Inspector. However, this is only suitable in cases where you are able to bypass signature verification altogether. The extension provides additional features for re-signing the token after you modify it.

Adding new signing keys

In most cases, after modifying a JWT, you need to re-sign it using the correct key so that the signature corresponds to the new values in the header and payload. For simplicity, we recommend using the JWT Editor extension for this process.

The JWT Editor extension can only sign tokens using keys that you have added to its key store. You can either upload keys that you have obtained already, or use the built-in features for generating a brand new key.

To add a new key to the JWT Editor's key store:

  1. Switch to the extension-generated JWT Editor Keys tab in Burp's main tab bar.

  2. On the right of the screen, click the relevant button for type of key that you want to add, for example, New RSA Key.

  3. In the dialog, you have the following options:

    • Click Generate to automatically create a brand new key of the selected length.

    • Paste an existing key. Depending on the type of key, you may be able to toggle between JWK and PEM representations. This also provides an easy way to convert between the two formats.

  4. Click OK. The key is saved to the extension's key store, which you can access from the JWT Editor Keys tab.

Generating a new RSA key pair

Once you have added keys to the key store, you can use them to sign JWTs in Burp Repeater. Alternatively, you can copy the keys to your clipboard by right-clicking on them and selecting the relevant format.

Signing JWTs

To sign a JWT using the JWT Editor extension:

  1. Add a suitable key to the extension's key store.

  2. In Burp Repeater, use the JSON Web Token message editor tab to modify the JWT header and payload.

  3. At the bottom of the screen, click Sign.

  4. In the dialog, select the relevant signing key from the extension's key store.

  5. If necessary, select the signing algorithm that you want to use. This is normally updated automatically based on the type of key that you select, but you may want to modify this when performing algorithm confusion attacks. You also have options for automatically updating some of the JWT headers.

  6. Click OK. The JWT in the request is replaced with your modified one.

Signing a modified JWT

Labs

You can practice using these features by completing our interactive JWT labs.

Register for free to track your learning progress

The benefits of working through PortSwigger's Web Security Academy
  • Practise exploiting vulnerabilities on realistic targets.

  • Record your progression from Apprentice to Expert.

  • See where you rank in our Hall of Fame.

Already got an account? Login here