Mutation Fuzzers (AKA Dumb Fuzzers 😉) Mutation Fuzzers are all about mutating the existing input values (blindly). That’s why it is known as “dumb” fuzzers, as it lacks understanding of the complete format/structure of the data. One example of data mutation can be just replacing/appending a random section of data. Some methods used by mutation fuzzers to generate the data are: Bit flipping Random postfix Random prefix encoding disruption We will be looking at one of the mutation based fuzzer written in NodeJS today.
Attack JWT is a URL safe, stateless protocol for transferring claims. A JWT token looks something like this: Header.UserStateInformation.Signature Sample: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ The information in token are separated by dots. The first and second part can be easily converted to ascii as they are base64 encoding of plain text. That being said lets dig in to these three parts of JWT token, header contain information about the algo used to encrypt (correct term would be hash generation :P).