Example JPA Model

In our example we focus on Employee and how to calculate a sum of salaries of employees by country.

@Entity 
class Employee {
    @Id @GeneratedValue
    private Long id;
    private String firstName;
    private String lastName;
    private BigDecimal salary;
    @OneToOne @JoinColumn(name = "address_id")
    private Address address;
    @Temporal(TemporalType.DATE)
    private Date startDate;
    @Temporal(TemporalType.DATE)
    private Date endDate;
    @ManyToOne @JoinColumn(name = "manager_id")
    private Employee manager;  
    // …
}

Sum of Salaries by Country – Select All

TypedQuery<Employee> query = em.createQuery(
    "SELECT e FROM Employee e", Employee.class);
List<Employee> list = query.getResultList();

// calculate sum of salaries by country
// map: country->sum
Map<String, BigDecimal> results = new HashMap<>();
for (Employee e : list) {    
    String country = e.getAddress().getCountry();    
    BigDecimal total = results.get(country);    
    if (total == null) total = BigDecimal.ZERO;    
    total = total.add(e.getSalary());    
    results.put(country, total);
}

Sum of Salaries by Country – Select Join Fetch

TypedQuery<Employee> query = em.createQuery(
    "SELECT e FROM Employee e 
     JOIN FETCH e.address", Employee.class);
List<Employee> list = query.getResultList();

// calculate sum of salaries by country
// map: country->sum
Map<String, BigDecimal> results = new HashMap<>();
for (Employee e : list) {    
    String country = e.getAddress().getCountry();    
    BigDecimal total = results.get(country);    
    if (total == null) total = BigDecimal.ZERO;    
    total = total.add(e.getSalary());    
    results.put(country, total);
}

Sum of Salaries by Country – Projection

Query query = em.createQuery(
    "SELECT e.salary, e.address.country 
     FROM Employee e");
List<Object[]> list = (List<Object[]>) query.getResultList();

// calculate sum of salaries by country
// map: country->sum
Map<String, BigDecimal> results = new HashMap<>();
for (Object[] e : list) {    
    String country = (String) e[1];    
    BigDecimal total = results.get(country);    
    if (total == null) total = BigDecimal.ZERO;    
    total = total.add((BigDecimal) e[0]);    
    results.put(country, total);
}

Sum of Salaries by Country – Aggregation JPQL

Query query = em.createQuery(
    "SELECT SUM(e.salary), e.address.country 
     FROM Employee e 
     GROUP BY e.address.country");
List<Object[]> list = (List<Object[]>) query.getResultList();

// already calculated!

Performance Comparison

For our performance comparison we use databases populated with 100000 employees and databases are located in different regions to illustrate the impact of latency on the execution times.

Logging Slow Queries

Hibernate supports logging queries that run longer than a specified amount of time in miliseconds. To configure this feature you need to use parameter hibernate.session.events.log.LOG_QUERIES_SLOWER_THAN_MS. This parameter can be very helpful in detecting bottlenecks in production systems without producing excessive number of logs.

Example:

hibernate.session.events.log.LOG_QUERIES_SLOWER_THAN_MS=1000

Logging Queries with Parameters

When we tune or debug our applications, it often happens that we are interested not only in executed SQL/JPQL/HQL queries but also in parameters bound for a given query. Actually, that may be a crucial piece of information! Unfortunately, the widely-known show-sql logs only SQL queries without bound parameters.

In order to log queries along with bound parameters, you can use:

logging.level.org.hibernate.SQL=DEBUG
logging.level.org.hibernate.type.descriptor.sql.BasicBinder=TRACE

Custom Definition of BIT

First, you need to create BitStringType, BitStringJavaDescriptor, and BitStringSqlDescriptor:

public class BitStringType extends AbstractSingleColumnStandardBasicType<String> {

    public static final BitStringType INSTANCE = new BitStringType();

    public BitStringType() {
        super(VarcharTypeDescriptor.INSTANCE, BitStringJavaDescriptor.INSTANCE);
    }

    @Override
    public String getName() {
        return "BitString";
    }

}

public class BitStringJavaDescriptor extends AbstractTypeDescriptor<String> {

    public static final BitStringJavaDescriptor INSTANCE = new BitStringJavaDescriptor();

    public BitStringJavaDescriptor() {
        super(String.class, ImmutableMutabilityPlan.INSTANCE);
    }

    @Override
    public String fromString(String string) {
        return string;
    }

    @Override
    public <X> X unwrap(String value, Class<X> type, WrapperOptions options) {
        if (value == null)
            return null;
        if (String.class.isAssignableFrom(type))
            return (X) value;
        throw unknownUnwrap(type);
    }

    @Override
    public <X> String wrap(X value, WrapperOptions options) {
        if (value == null)
            return null;
        if (String.class.isInstance(value))
            return (String) value;
        throw unknownWrap(value.getClass());
    }

}

    @Override
    public <X> ValueBinder<X> getBinder(final JavaTypeDescriptor<X> javaTypeDescriptor) {
        return new BasicBinder<X>(javaTypeDescriptor, this) {
            @Override
            protected void doBind(PreparedStatement st, X value, int index, WrapperOptions options) throws SQLException {
                st.setObject(index, javaTypeDescriptor.unwrap(value, String.class, options), Types.OTHER);
            }
            @Override
            protected void doBind(CallableStatement st, X value, String name, WrapperOptions options) throws SQLException {
                st.setObject(name, javaTypeDescriptor.unwrap(value, String.class, options), Types.OTHER);
            }
        };
    }

    @Override
    public <X> ValueExtractor<X> getExtractor(final JavaTypeDescriptor<X> javaTypeDescriptor) {
        return new BasicExtractor<X>(javaTypeDescriptor, this) {
            @Override
            protected X doExtract(ResultSet rs, String name, WrapperOptions options) throws SQLException {
                return javaTypeDescriptor.wrap(rs.getString(name), options);
            }
            @Override
            protected X doExtract(CallableStatement statement, int index, WrapperOptions options) throws SQLException {
                return javaTypeDescriptor.wrap(statement.getString(index), options);
            }
            @Override
            protected X doExtract(CallableStatement statement, String name, WrapperOptions options) throws SQLException {
                return javaTypeDescriptor.wrap(statement.getString(name), options);
            }
        };
    }

}

Use Your Custom BIT Type

Having those classes, you can define a type for your field. Please, use the correct package (in my case I’ve used the one from my demo com.yonlabs.jpa):

    @Column
    @Type(type = "com.yonlabs.jpa.BitStringType")
    private String bits;

You can also register this type with hibernate to use a registered name instead of a fully qualified Java class.

JWT RFC describes unsecured JWTs where there is no signature present. Such unsecured tokens have a header alg parameter set to none.

{"alg":"none"}

How to create a JWT token with the none algorithm?

To create a JWT token, you can use any programming language and any JWT library you like.

In my example I use Java and io.jsonwebtoken JJWT library. Please, note that I don’t use signWith method anywhere in my code, thus the generated token will not have any signing algorithm set up, implicitly having none algorithm configured.

Jwts.builder()
    .setSubject(subject)
    .setIssuedAt(Date.from(now()))
    .setIssuer("jwt-demo")
    .setExpiration(Date.from(now().plus(ofDays(1))))
    .compact();

When is an application vulnerable?

An application is vulnerable when it doesn’t verify the signature nor algorithm set in a token. It may happen due to a misleading library design where decode and verify functions are not properly distinguished. Unfortunately, that’s the case of io.jsonwebtoken JJWT. The library provides two methods parse and parseClaimsJws. The parse method decodes a token but doesn’t verify its signature. The parseClaimsJws method decodes a token and verifies its signature.

The below code is vulnerable:

Jwts.parser()
    .setSigningKey(secretKey)
    .parse(token);

In this article, I’m going to explain what hashcat is and how you can use it to crack an HS256 JSON Web Token using a brute-force attack.

With a weak JWT, your applications become vulnerable to identity theft as a hacker can impersonate any user he wants once the JWT is cracked and the HS256 secret is revealed.

Hashcat

hashcat is a password cracker, or, officially, a password recovery tool. It’s one of the most advanced tools, supporting five attack modes and over 300 hashing algorithms.

hashcat is highly optimized and is able to make use of CPUs, GPUs, and other hardware accelerators on Linux, Windows, and macOS. That makes hashcat supposedly the world’s fastest tool in its kind, and definitely the fastest among freely available ones.

HS256 JSON Web Token

JWT

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for transmitting information between parties as a JSON object. JWT is widely used in modern applications as a stateless authorization mechanism where a token represents a self-contained session of a logged-in user.

JWT can be encrypted, but it usually is only digitally signed. Such a JWT guarantees integrity (it can’t be modified) but not confidentiality (the information is open to the public).

Structure

If you see a JWT, it usually is a long string of letters and numbers with occasional dots. You can decode such a token at one of the online tools, like jwt.io, and see its structure:

• header
• payload
• signature.

HS256

The header part of a JWT contains the algorithm used to sign a token. HS256 stands for HMAC with SHA-256.

HMAC (hash-based message authentication code) is a type of message authentication code involving a cryptographic hash function and a secret cryptographic key. HMAC is a symmetric algorithm that uses a shared secret for the generation and verification of signatures. HMAC can be used in combination with various hash functions. One of them is SHA-256.

JWT Cracking

Installation

You can install hashcat via a package manager available on your system or directly from binaries or sources.

Using a package manager on macOS:

brew install hashcat

Using a package manager on Ubuntu:

sudo apt-get install hashcat

Unfortunately, this way you will usually get an older version of hashcat. To install the newest version, download and install the latest binaries.

Vulnerable Token and Demo

To crack a JWT, we need a JWT, preferably a vulnerable JWT. I have prepared a vulnerable application available at demo.yonlabs.com. The demo is hosted in Oracle Cloud and you can use it any time you want, not only for password cracking but to exploit other vulnerabilities as well!

How to obtain a vulnerable token?

1. Register a new account at demo.yonlabs.com.
2. Log in to the application.
3. Use a developer tool in your browser to see application session storage and access a token.

In the Chrome browser, you open their developer tools via View > Developer > Developer Tool. Then you go to the Application tab, followed by opening the Session Storage:

Cracking

If you have the hashcat installed and if you have copied a vulnerable token, it’s time to start cracking.

The minimal number of options for hashcat is:

• attack mode: -a
• hash mode: -m

There are five main attack modes:

• dictionary attack (mode 0)
• combinator attack (mode 1)
• brute-force and mask-attack (mode 3)
• hybrid attack combining wordlists+masks (mode 6)
• hybrid attack combining masks+wordlists (mode 7).

There are literally hundreds of hash types supported by hashcat, starting from MD5 (hash mode 0) to SHA family to GOST family, and many more, including JWT (mode 16500).

The basic command to start cracking in a brute-force mode for JWT is:

hashcat -m 16500 -a 3 <your_token_here>

You should see a verbose output of hashcat looking like this:

In our case, hashcat should be able to find the secret fairly quickly. Though it may take a lot of time to crack hashes for other cases or even it may never end.

Once hashcat stops, it means your token has been cracked. hashcat does not display a found secret at once, it stores the found secret in a potfile. To display the found secret, you need to call hashcat as:

hashcat -m 16500 -a 3 <your_token_here> --show

Conclusion

You have just learned what hashcat is and how easily you can use it to crack a weak JWT.

In your applications, make sure you use a strong secret for your JWT tokens.

A key of the same size as the hash output (for instance, 256 bits for HS256) or larger MUST be used with this algorithm.

RFC7518

The recommended secret size for the HS family is at least the size of the hash output. So, for HS256 it means at least 256 bits (32 bytes).

This is just the tip of an iceberg when it comes to hashcat features! Stay tuned!

How did I start my hacker’s guide demos? When did it start? And how have I moved to Oracle Cloud?

Oracle Groundbreaker Ambassadors have expertise in modern development areas such as cloud, microservices, containers, Java, DevOps, continuous delivery, open-source technologies, and SQL/NoSQL databases. These professionals are contributors to open source projects, authors on contemporary development approaches, and speakers at top industry conferences such as DeveloperWeek, DevNexus, Devoxx, Oracle Code and Oracle Code One, QCon, and Velocity. Besides presenting, writing, or contributing to open source projects, Oracle Groundbreaker Ambassadors may also play a leadership role in user groups, answer questions in forums, and provide Oracle product management with feedback.

https://developer.oracle.com/ambassador/

I am truly honored to be recognized by such a reputable company that stands by my beloved Java, the famous Oracle Database, and the exciting Oracle Cloud.

I am even more excited because I am planning to explore Oracle Cloud in detail. The first step will be to move my security demos to a new, hopefully, very friendly, hosting environment!

Stay tuned!