JWT authentication bypass via weak signing key
https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-weak-signing-key
Description
This lab uses a JWT-based mechanism for handling sessions. It uses an extremely weak secret key to both sign and verify tokens. This can be easily brute-forced using a wordlist of common secrets.
To solve the lab, first brute-force the website's secret key. Once you've obtained this, use it to sign a modified session token that gives you access to the admin panel at /admin, then delete the user carlos.
You can log in to your own account using the following credentials: wiener:peter
Solution
Go to login page and access as wiener user.
JWT extension reveal that there's a JWT token, obviously related to wiener user account
Save the item into a file called 'jwt' to prepare input for our brute force attack.
Well done, 'secret1' is the result.
Using JSON Web Tokens tab, modify the sub field inserting: "administrator", select "recalculate Signature" and insert there: "secret1"
after that, go again into Pretty tab and change the id value to 'administrator': GET /my-account?id=administrator HTTP/2 and delete the signature of the cookie session (the last part):
click first on the Send button and then on Following redirection button
Now, we're authenticated as administrator!
Checking the response the admin panel's path is: /admin
analyzing the response, we see that the request to delete the user Carlos is the following: GET /admin/delete?username=carlos HTTP/2
So, Send and click to Following redirection to delete it and complete the lab.
Last updated