-
Notifications
You must be signed in to change notification settings - Fork 0
JWT
Alnoman Kamil edited this page Oct 15, 2024
·
65 revisions
Apprentice lab:
JWT authentication bypass via unverified signature
Apprentice lab:
JWT authentication bypass via unverified signature
This lab uses a JWT-based mechanism for handling sessions. Due to implementation flaws, the server doesn't verify the signature of any JWTs that it receives.
To solve the lab, modify your session token to gain access to the admin panel at /admin, then delete the user carlos.
You can log in to your own account using the following credentials: wiener:peter
-
Solution
- Log in as
wiener:peter. - Notice in the requests the cookie is a JWT token.
- Try accessing
/admin, export (x4) the request. - Run
jwt_tool.Observe the decoded token values.jwt_tool.py -r request.txt
- Run the following.
jwt_tool.py -r request.txt -I -pc sub -pv administrator -v
- Go back to mitmproxy, observer the request that was sent using jwt_tool. Copy the cookie value and paste it to browser.
- Access
/adminpanel and delete Carlilto.
- Log in as
Caution
JWT uses Base64url, which is slightly different from Base64.
echo -n 'string' | base64 | tr '=/+' ' _-'
Solutions for the Portswigger's Web Security Academy using mitmproxy and other cli tools instead of Burp Suite
Server-side topics:
- SQL injection
- Authentication
- File path traversal
- OS command injection
- Business logic vulnerabilities
- Information disclosure
- Access control vulnerabilities
- File upload vulnerabilities
- Race conditions
- Server-side request forgery (SSRF)
- XML external entity (XXE) injection
- NoSQL injection
- API testing
Client-side topics:
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- Cross-origin resource sharing (CORS)
- Clickjacking
- DOM-based vulnerabilities
- WebSockets
Advanced topics: