search

labs

hashtag
Lab - 1: JWT authentication bypass via unverified signature (A)

  • This lab uses a JWT-based mechanism for handling sessions. Due to implementation flaws, the server doesn't verify the signature of any JWTs that it receives. To solve the lab, modify your session token to gain access to the admin panel at /admin, then delete the user carlos. You can log in to your own account using the following credentials: wiener:peter

  • the payload part of session is as follow:

{
  "iss": "portswigger",
  "sub": "wiener",
  "exp": 1665055299
}

  • change the "sub": "administrator" and send the request

  • user account will become admin

  • with this token, set GET request to this GET /admin/delete?username=carlos HTTP/1.1

hashtag
Lab - 2: JWT authentication bypass via flawed signature verification (A)

  • This lab uses a JWT-based mechanism for handling sessions. The server is insecurely configured to accept unsigned JWTs. To solve the lab, modify your session token to gain access to the admin panel at /admin, then delete the user carlos. You can log in to your own account using the following credentials: wiener:peter

  • the original session cookie looks like this:

eyJraWQiOiJjZDMzZDE1OC01MDMwLTQ3ODgtOTI0NS0xODE5ZDUzMThmMDEiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJwb3J0c3dpZ2dlciIsInN1YiI6IndpZW5lciIsImV4cCI6MTY2NTA1NzAxMX0.CnOMEooDjAM8u_zF_f1lc3Q3cxm6K4wVTjR_x_G-i1Vu_icxWQmZ9como2XV0jMbYfh0ElFmBEMbB7wlOheD_tRRgX0jz-rEr3btt7W4KMpm92CbGUiWBiN_dUOp_bNIH40mRcUauseRQEKCEdQ_KQYks6TILpMXQiKzimrZygPla-rRK5E0Q3FfMCMRVisrpxf1nH2aP77BK0Ou1XqmU56rP8nm43sca7vJu4Y1LzHk5FypUkJei5P9KGtgaQQue9-a2HbERht7VAX4Wxe-BH6_fZ231je15259CndAXpP-svHz8wiZjkl-cQDaASBTNjJcqam9eESdrGyexbc1TA

  • after decoding header and payload parts,

  • change the "alg": "none" and "sub": "administrator" and delete the signature part but remember to leave the .

  • the session cookie looks like this:

  • the last dot is important

  • then enter as an admin and go on

hashtag
Lab - 3: JWT authentication bypass via weak signing key (P)

  • This lab uses a JWT-based mechanism for handling sessions. It uses an extremely weak secret key to both sign and verify tokens. This can be easily brute-forced using a wordlist of common secrets. To solve the lab, first brute-force the website's secret key. Once you've obtained this, use it to sign a modified session token that gives you access to the admin panel at /admin, then delete the user carlos. You can log in to your own account using the following credentials: wiener:peter

  1. Brute-Force with hashcat

  • login with wiener and get the session JWT token

  • try the previous steps and not working

  • use hashcat wordlist from https://github.com/wallarm/jwt-secrets

  • get secret1

  1. Generate a forged signing key

  • use Brup Decoder, base64 encode the secret1 => c2VjcmV0MQ==

  • in JWT Editor Keys tab > Add New Symmetric Key > Generate > substitue above value in "k" parameter

  1. Modify and sign the JWT

  • in Burp Repeater, use JSON Web Token extension

  • modify the "sub" parameter to "administrator"

  • Sign and select the key that was generated before

  • Select Don't modify header

  • Copy that JWT and GET request to /admin

hashtag
With jwt_tool

hashtag
Lab - 4: JWT authentication bypass via jwk header injection (P)

  • This lab uses a JWT-based mechanism for handling sessions. The server supports the jwk parameter in the JWT header. This is sometimes used to embed the correct verification key directly in the token. However, it fails to check whether the provided key came from a trusted source. To solve the lab, modify and sign a JWT that gives you access to the admin panel at /admin, then delete the user carlos. You can log in to your own account using the following credentials: wiener:peter

  • login with wiener and get the session JWT token

  • try the previous steps and not working

  • JWT Editor Keys tab > New RSA Key > Generate >

  • in Burp Repeater, use JSON Web Token extension

  • change the payload to administrator

  • Attack > Embedded JWK > choose that was generated before in signing key > OK

  • copy the JWT and send with /admin request

hashtag
With jwt_tool

  • in ~/.jwt_tool/jwtconf.int, change the jwks_kid parameter to value from jwt

hashtag
Lab - 5: JWT authentication bypass via jku header injection (P)

  • This lab uses a JWT-based mechanism for handling sessions. The server supports the jku parameter in the JWT header. However, it fails to check whether the provided URL belongs to a trusted domain before fetching the key. To solve the lab, forge a JWT that gives you access to the admin panel at /admin, then delete the user carlos. You can log in to your own account using the following credentials: wiener:peter

  • login with wiener account

  • send to Burp Repeater with one of the request that contains session JWT

  • JWT Editor Keys > New RSA Key > Generate

  • on the generated key (Right click) > Copy public key as RSA

  • then stored at the exploit server like this format :

  • modified the JWT like this

  • header -> the kid parameter from the previous key and jku parameter to the exploit server link

  • payload -> "sub" parameter to administrator

  • Sign > Signing Key to the previous generated key

  • Make sure Don't modify header checked

  • copy the token and send with this token

hashtag
With jwt_tool

  • in the exploit body , store the result from

  • change the kid value to original value

hashtag
Lab - 6: JWT authentication bypass via kid header path traversal (P)

  • This lab uses a JWT-based mechanism for handling sessions. In order to verify the signature, the server uses the kid parameter in JWT header to fetch the relevant key from its filesystem. To solve the lab, forge a JWT that gives you access to the admin panel at /admin, then delete the user carlos. You can log in to your own account using the following credentials: wiener:peter

  • login with wiener account

  • send to Burp Repeater with one of the request that contains session JWT

  • JWT Editor Keys > New Symmetric Key > Generate > change the k parameter to AA== which is null byte

  • change the header as

  • change the payload as

  • sign to the previous generated token

  • copy the token

hashtag
With jwt_tool

hashtag
Lab - 7: JWT authentication bypass via algorithm confusion (E)

This lab uses a JWT-based mechanism for handling sessions. It uses a robust RSA key pair to sign and verify tokens. However, due to implementation flaws, this mechanism is vulnerable to algorithm confusion attacks. To solve the lab, first obtain the server's public key. This is exposed via a standard endpoint. Use this key to sign a modified session token that gives you access to the admin panel at /admin, then delete the user carlos. You can log in to your own account using the following credentials: wiener:peter

PreviousnotesNextOAuth Authentication

Last updated