search
HomeGitHubPortfolio Twitter/X Medium Cont@ct

vialJWT authentication bypass via weak signing key

https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-weak-signing-key

hashtag
Description

This lab uses a JWT-based mechanism for handling sessions. It uses an extremely weak secret key to both sign and verify tokens. This can be easily brute-forced using a wordlist of common secretsarrow-up-right.

To solve the lab, first brute-force the website's secret key. Once you've obtained this, use it to sign a modified session token that gives you access to the admin panel at /admin, then delete the user carlos.

You can log in to your own account using the following credentials: wiener:peter

hashtag
Solution

Go to login page and access as wiener user.

JWT extension reveal that there's a JWT token, obviously related to wiener user account

Save the item into a file called 'jwt' to prepare input for our brute force attack.

Well done, 'secret1' is the result.

Using JSON Web Tokens tab, modify the sub field inserting: "administrator", select "recalculate Signature" and insert there: "secret1"

after that, go again into Pretty tab and change the id value to 'administrator': GET /my-account?id=administrator HTTP/2 and delete the signature of the cookie session (the last part):

click first on the Send button and then on Following redirection button

Now, we're authenticated as administrator!

Checking the response the admin panel's path is: /admin

analyzing the response, we see that the request to delete the user Carlos is the following: GET /admin/delete?username=carlos HTTP/2

So, Send and click to Following redirection to delete it and complete the lab.

PreviousJWT authentication bypass via flawed signature verificationNextTo-Do

Last updated