labs
Lab - 1: JWT authentication bypass via unverified signature (A)
This lab uses a JWT-based mechanism for handling sessions. Due to implementation flaws, the server doesn't verify the signature of any JWTs that it receives. To solve the lab, modify your session token to gain access to the admin panel at /admin, then delete the user carlos. You can log in to your own account using the following credentials: wiener:peter
the payload part of session is as follow:
change the
"sub": "administrator"and send the requestuser account will become admin
with this token, set GET request to this
GET /admin/delete?username=carlos HTTP/1.1
Lab - 2: JWT authentication bypass via flawed signature verification (A)
This lab uses a JWT-based mechanism for handling sessions. The server is insecurely configured to accept unsigned JWTs. To solve the lab, modify your session token to gain access to the admin panel at /admin, then delete the user carlos. You can log in to your own account using the following credentials: wiener:peter
the original session cookie looks like this:
after decoding header and payload parts,
change the
"alg": "none"and"sub": "administrator"and delete the signature part but remember to leave the.the session cookie looks like this:
the last dot is important
then enter as an admin and go on
Lab - 3: JWT authentication bypass via weak signing key (P)
This lab uses a JWT-based mechanism for handling sessions. It uses an extremely weak secret key to both sign and verify tokens. This can be easily brute-forced using a wordlist of common secrets. To solve the lab, first brute-force the website's secret key. Once you've obtained this, use it to sign a modified session token that gives you access to the admin panel at /admin, then delete the user carlos. You can log in to your own account using the following credentials: wiener:peter
Brute-Force with hashcat
login with wiener and get the session JWT token
try the previous steps and not working
use hashcat wordlist from https://github.com/wallarm/jwt-secrets
get
secret1
Generate a forged signing key
use Brup Decoder, base64 encode the
secret1=>c2VjcmV0MQ==in
JWT Editor Keystab >Add New Symmetric Key> Generate > substitue above value in "k" parameter
Modify and sign the JWT
in Burp Repeater, use JSON Web Token extension
modify the "sub" parameter to "administrator"
Signand select the key that was generated beforeSelect
Don't modify headerCopy that JWT and GET request to
/admin
With jwt_tool
Lab - 4: JWT authentication bypass via jwk header injection (P)
This lab uses a JWT-based mechanism for handling sessions. The server supports the jwk parameter in the JWT header. This is sometimes used to embed the correct verification key directly in the token. However, it fails to check whether the provided key came from a trusted source. To solve the lab, modify and sign a JWT that gives you access to the admin panel at /admin, then delete the user carlos. You can log in to your own account using the following credentials: wiener:peter
login with wiener and get the session JWT token
try the previous steps and not working
JWT Editor Keystab >New RSA Key> Generate >in Burp Repeater, use JSON Web Token extension
change the payload to administrator
Attack> Embedded JWK > choose that was generated before in signing key > OKcopy the JWT and send with /admin request
With jwt_tool
in ~/.jwt_tool/jwtconf.int, change the
jwks_kidparameter to value from jwt
Lab - 5: JWT authentication bypass via jku header injection (P)
This lab uses a JWT-based mechanism for handling sessions. The server supports the jku parameter in the JWT header. However, it fails to check whether the provided URL belongs to a trusted domain before fetching the key. To solve the lab, forge a JWT that gives you access to the admin panel at /admin, then delete the user carlos. You can log in to your own account using the following credentials: wiener:peter
login with
wieneraccountsend to Burp Repeater with one of the request that contains session JWT
JWT Editor Keys>New RSA Key> Generateon the generated key (Right click) > Copy public key as RSA
then stored at the exploit server like this format :
modified the JWT like this
header -> the
kidparameter from the previous key andjkuparameter to the exploit server link
payload -> "sub" parameter to administrator
Sign> Signing Key to the previous generated keyMake sure
Don't modify headercheckedcopy the token and send with this token
With jwt_tool
in the exploit body , store the result from
change the
kidvalue to original value
Lab - 6: JWT authentication bypass via kid header path traversal (P)
This lab uses a JWT-based mechanism for handling sessions. In order to verify the signature, the server uses the kid parameter in JWT header to fetch the relevant key from its filesystem. To solve the lab, forge a JWT that gives you access to the admin panel at /admin, then delete the user carlos. You can log in to your own account using the following credentials: wiener:peter
login with
wieneraccountsend to Burp Repeater with one of the request that contains session JWT
JWT Editor Keys>New Symmetric Key> Generate > change thekparameter toAA==which is null bytechange the header as
change the payload as
sign to the previous generated token
copy the token
With jwt_tool
Lab - 7: JWT authentication bypass via algorithm confusion (E)
This lab uses a JWT-based mechanism for handling sessions. It uses a robust RSA key pair to sign and verify tokens. However, due to implementation flaws, this mechanism is vulnerable to algorithm confusion attacks. To solve the lab, first obtain the server's public key. This is exposed via a standard endpoint. Use this key to sign a modified session token that gives you access to the admin panel at /admin, then delete the user carlos. You can log in to your own account using the following credentials: wiener:peter
Last updated