In the recent post (https://lab.wallarm.com/340-weak-jwt-secrets-you-should-check-in-your-code/), we presented a wallarm/jwt-secrets GitHub repository with a 340 JSON Web
Token secrets available publicly. Using this data, it’s possible to check if you or your developers forgot to change default secrets or used a weak 3rd party library with it.
However, the project was not stalled and nowadays we are happy to announce a huge update, which includes more than 1800 new JWT secrets grabbed from public sources like Google, GitHub, PasteBin, and others.
To make the job of security auditors simple, we also decided to make a simple Burp extension that can check secrets that are automatically updated from our previous GitHub project. You can find this here: https://github.com/wallarm/jwt-heartbreaker
The JWT-heartbreaker extension is available under the GPL license, which is based on the extension JSON Web Tokens (JWT4B). This project also has its own page on our blog, where we will post changes, new features announcements, and news.
You can build it from the source code by following instructions found on GitHub or by downloading a precompiled JAR file from here: https://github.com/wallarm/jwt-heartbreaker/releases/download/0.1/jwt-heartbreaker-1.0-SNAPSHOT-jar-with-dependencies.jar
We also applied it to the BApp Store, but the review process takes some time. Before the official placement, you have to install the JWT Heartbreaker extension manually in the “Extensions” tab in a Burp Suite:
After it loads, you can easily access the JWT Heartbreaker tab in your Burp control panel.
That’s it! There is absolutely nothing else to configure. Just use your Burp as usual and check the vulnerabilities tab from time to time. The JWT heartbreaker will automatically find JWT tokens in all the proxied HTTP requests and check if any weak secrets are compatible with them.
Lastly, we wish you a very productive bug hunting with the JWT heartbreaker extension. We are committed to updating the weak secrets database regularly, so don’t forget to push the “Update” button occasionally.
As usual, if you need to protect your API endpoints, whatever that maybe for you, from XMLRPC, SOAP, REST to GraphQL, gRPC and WebSockets, please consider Wallarm as the solution.
Cheers!