22.3 Lab: JWT authentication bypass via weak signing key

This lab uses a JWT-based mechanism for handling sessions. It uses an extremely weak secret key to both sign and verify tokens. This can be easily brute-forced using a wordlist of common secrets. To solve the lab, first brute-force the website’s secret key. Once you’ve obtained this, use it to sign a modified session token that gives you access to the admin panel at /admin, then delete the user carlos | Karthikeyan Nagaraj

Karthikeyan Nagaraj
Infosec Matrix
2 min readMay 17, 2024

--

Description

This lab uses a JWT-based mechanism for handling sessions. It uses an extremely weak secret key to both sign and verify tokens. This can be easily brute-forced using a wordlist of common secrets.

To solve the lab, first brute-force the website’s secret key. Once you’ve obtained this, use it to sign a modified session token that gives you access to the admin panel at /admin, then delete the user carlos.

You can log in to your own account using the following credentials: wiener:peter

Tip

We recommend familiarizing yourself with how to work with JWTs in Burp Suite before attempting this lab.

We also recommend using hashcat to brute-force the secret key. For details on how to do this, see Brute forcing secret keys using hashcat.

Solution

Part 1 — Brute-force the secret key

  1. Turn on Proxy on the browser and turn off the Intercept in Burp and move to http history.
  2. Log in to your account.
  3. Send the GET /my-account?id=wiener request to the repeater.
  4. Copy the JWT session cookie, open a terminal, and paste the following command which incorporates hashcat to crack the secret key.
    hashcat -a 0 -m 16500 “JWT_COOKIE” /usr/share/seclists/Passwords/scraped-JWT-secrets.txt
  5. If everything works correctly, this should reveal that the weak secret is secret1.

Part 2— Modify and sign the JWT

  1. Go to https://jwt.io and paste the JWT cookie that we copied from the repeater.
  2. In the Payload box, change the value of the sub from wiener to administrator
  3. In the Verify-Signature box, paste the key secret1 or any other key that you cracked from hashcat in “your-256-bit-secret”.
  4. Now, copy the final JWT cookie on the left and go to the repeater.
  5. Change the path to /admin/delete?username=carlos and replace the JWT cookie with the one that we copied from jwt.io
  6. Send the request and the Lab will be solved.

--

--

Infosec Matrix
Infosec Matrix

Published in Infosec Matrix

Collection of Best Writeups for HackTheBox, Portswigger, Bug Bounty, TryHackme, OverTheWire, PwnCollege, PicoCTF, and More.

Karthikeyan Nagaraj
Karthikeyan Nagaraj

Written by Karthikeyan Nagaraj

Entrepreneur | Writer | Cyber Security Consultant | AI Researcher