WEB17: JWT attacks

# WEB17: JWT attacks ## Lab: JWT authentication bypass via unverified signature ```! This lab uses a JWT-based mechanism for handling sessions. Due to implementation flaws, the server doesn't verify the signature of any JWTs that it receives. To solve the lab, modify your session token to gain access to the admin panel at /admin, then delete the user carlos. You can log in to your own account using the following credentials: wiener:peter ``` Login với thông tin account được cung cấp, ta thấy server trả về JWT ![](https://i.imgur.com/ssTEuD1.png) Mở bằng JWT Editor của burp, và thử chính giá trị của trường sub thành admin ![](https://i.imgur.com/XYfrqHT.png) sau đó thay đổi lại cookie và access đến `/admin` ![](https://i.imgur.com/5dAvOEH.png) -> Thành công Cuối cùng, gửi request đến `/admin` và solve bài lab ![](https://i.imgur.com/55sK9Pj.png) ## Lab: JWT authentication bypass via flawed signature verification ```! This lab uses a JWT-based mechanism for handling sessions. The server is insecurely configured to accept unsigned JWTs. To solve the lab, modify your session token to gain access to the admin panel at /admin, then delete the user carlos. You can log in to your own account using the following credentials: wiener:peter ``` Tương tự như lab trước, sau khi login ta được cấp cho JWT ![](https://i.imgur.com/GlTJwny.png) Gửi đến JWT editor, chỉnh alg thành none đồng thời xóa đi phần signature của JWT (vẫn để lại `.`) ![](https://i.imgur.com/BIP2ehT.png) Access đến `/admin` với JWT vừa tạo ![](https://i.imgur.com/E9GIXQc.png) Xóa user carlos và solve bài lab ![](https://i.imgur.com/lsO3wlb.png) ## Lab: JWT authentication bypass via weak signing key ```! This lab uses a JWT-based mechanism for handling sessions. It uses an extremely weak secret key to both sign and verify tokens. This can be easily brute-forced using a wordlist of common secrets. To solve the lab, first brute-force the website's secret key. Once you've obtained this, use it to sign a modified session token that gives you access to the admin panel at /admin, then delete the user carlos. You can log in to your own account using the following credentials: wiener:peter ``` Login với account được cung cấp, ta thấy thuật toán dùng cho sign token là HS256 ![](https://i.imgur.com/eSLJaBY.png) Tiếp theo ta sử dụng hashcat để crack secret key với wordlist tại [đây](https://github.com/wallarm/jwt-secrets/blob/master/jwt.secrets.list). ![](https://i.imgur.com/pAD7kpD.png) -> Tìm được secret key là `secret1` Sign lại với jwt.io ![](https://i.imgur.com/SHsmNUJ.png) Access đến `/admin` và xóa user carlos ![](https://i.imgur.com/r9j1pu1.png) Solve ![](https://i.imgur.com/y73gaTk.png) ## Lab: JWT authentication bypass via jwk header injection ```! This lab uses a JWT-based mechanism for handling sessions. The server supports the jwk parameter in the JWT header. This is sometimes used to embed the correct verification key directly in the token. However, it fails to check whether the provided key came from a trusted source. To solve the lab, modify and sign a JWT that gives you access to the admin panel at /admin, then delete the user carlos. You can log in to your own account using the following credentials: wiener:peter ``` Tại JWT Editor Keys tab, ta chọn New RSA key và generate ![](https://i.imgur.com/Pt3DuVz.png) Tiếp đó, ở Json Web Token tab, chọn Attack -> Embedded JWK để tự động inject thông tin của public key vào header của JWT ![](https://i.imgur.com/hSdJsxx.png) Cóp lấy JWT mới, sau đó access đến admin pannel để xóa user carlos ![](https://i.imgur.com/5kv5bHu.png) Solve ![](https://i.imgur.com/KMvOGS8.png) ## Lab: JWT authentication bypass via jku header injection ```! This lab uses a JWT-based mechanism for handling sessions. The server supports the jku parameter in the JWT header. However, it fails to check whether the provided URL belongs to a trusted domain before fetching the key. To solve the lab, forge a JWT that gives you access to the admin panel at /admin, then delete the user carlos. You can log in to your own account using the following credentials: wiener:peter ``` Tại Json Editor Key chọn New RSA key, sau đó Copy Public key as JWK ![](https://i.imgur.com/UijF6tp.png) Setup exploit server như sau: ![](https://i.imgur.com/sCJaSTv.png) ở Json Web Token ta chỉnh lại các giá trị như sau ![](https://i.imgur.com/uNBXncu.png) sau đó chọn Sign và OK ![](https://i.imgur.com/QYXW4HR.png) Copy token vừa được gen, gửi lại đến `/admin` để xóa user carlos ![](https://i.imgur.com/WnKulSS.png) ## Lab: JWT authentication bypass via kid header path traversal ```! This lab uses a JWT-based mechanism for handling sessions. In order to verify the signature, the server uses the kid parameter in JWT header to fetch the relevant key from its filesystem. To solve the lab, forge a JWT that gives you access to the admin panel at /admin, then delete the user carlos. You can log in to your own account using the following credentials: wiener:peter ``` Tạo mới một Symmetric Key, với giá trị là null byte (AA== là dạng base64 encode của null byte) ![](https://i.imgur.com/xLVkJBl.png) Tiếp đó, chỉnh lại các giá trị trong JWT ban đầu thành như sau ![](https://i.imgur.com/FSM2Rpc.png) Sau đó chọn Sign, và OK ![](https://i.imgur.com/1RkmlJ1.png) Gửi lại request đến `/admin` với cookie là JWT vừa tạo ![](https://i.imgur.com/lXj8oG3.png) Solve ![](https://i.imgur.com/sJSWP1J.png) ## Lab: JWT authentication bypass via algorithm confusion ```! This lab uses a JWT-based mechanism for handling sessions. It uses a robust RSA key pair to sign and verify tokens. However, due to implementation flaws, this mechanism is vulnerable to algorithm confusion attacks. To solve the lab, first obtain the server's public key. This is exposed via a standard endpoint. Use this key to sign a modified session token that gives you access to the admin panel at /admin, then delete the user carlos. You can log in to your own account using the following credentials: wiener:peter ``` Lấy thông tin về public key ![](https://i.imgur.com/5E112I3.png) Chọn new rsa key sau đó paste thông tin jwk vào dialog ![](https://i.imgur.com/wEF7gID.png) sau đó chọn PEM và cóp lấy giá trị này ![](https://i.imgur.com/1QqVzaN.png) base64 encode ![](https://i.imgur.com/tgiLSyb.png) chọn new symmetric key và thay đối `k` thành giá trị vừa nhận được ở bước trước đó ![](https://i.imgur.com/tDobLJ9.png) Chỉnh lại JWT header và payload sau đó Sign lại ![](https://i.imgur.com/EWuvh6y.png) ![](https://i.imgur.com/jicR1Ol.png) Solve ![](https://i.imgur.com/2i2oMcE.png) ## Lab: JWT authentication bypass via algorithm confusion with no exposed key ```! This lab uses a JWT-based mechanism for handling sessions. It uses a robust RSA key pair to sign and verify tokens. However, due to implementation flaws, this mechanism is vulnerable to algorithm confusion attacks. To solve the lab, first obtain the server's public key. Use this key to sign a modified session token that gives you access to the admin panel at /admin, then delete the user carlos. You can log in to your own account using the following credentials: wiener:peter ``` Login và logout 2 lần để lấy jwt, sau đó dùng tool rsa_sign2n để tìm public key ![](https://i.imgur.com/ZeknUaM.png) Ta thử với hai tampered JWT và nhận thấy cái đầu tiên là đúng ![](https://i.imgur.com/ZAjBB1m.png) ![](https://i.imgur.com/rtGDSZd.png) Base64 encode PEM key ![](https://i.imgur.com/oQ9xc5q.png) Tạo mới Symmetric key ![](https://i.imgur.com/iD6aCvo.png) Chỉnh lại JWT + Sign ![](https://i.imgur.com/wFafqV0.png) Gửi request để xóa user carlos ![](https://i.imgur.com/VdTVJLZ.png) Solve ![](https://i.imgur.com/t987REC.png) ###### tags: `portswigger`