22.1 Lab: JWT authentication bypass via unverified signature | 2023
This lab uses a JWT-based mechanism for handling sessions. Due to implementation flaws, the server doesn’t verify the signature of any JWTs that it receives. To solve the lab, modify your session token to gain access to the admin panel at /admin, then delete the user carlos | Karthikeyan Nagaraj
2 min readNov 12, 2023
Description
This lab uses a JWT-based mechanism for handling sessions. Due to implementation flaws, the server doesn’t verify the signature of any JWTs that it receives.
To solve the lab, modify your session token to gain access to the admin panel at /admin
, then delete the user carlos
.
You can log in to your own account using the following credentials: wiener:peter
Solution 1 — Without Burpsuite
- Log in to your Account using
wiener:peter
- Copy the Session Cookie using Cookie Editor
- Navigate to token.dev and paste the JWT cookie that you Copied
- Change the Value of the sub from
wiener
toadministrator
and copy the Modified Cookie - Now on the Lab, Replace the Session Cookie with the Cookie that we modified using token.dev and Click save in the Cookie Editor
- Refresh the Page, Now you will be able to see the admin Panel
- Click on the Admin panel and click
delete Carlos
to Solve the Lab
Solution 2 — By Portswigger using Burpsuite
- In the lab, log in to your own account.
- In Burp, go to the Proxy > HTTP history tab and look at the post-login
GET /my-account
request. Observe that your session cookie is a JWT. - Double-click the payload part of the token to view its decoded JSON form in the Inspector panel. Notice that the
sub
claim contains your username. Send this request to Burp Repeater. - In Burp Repeater, change the path to
/admin
and send the request. Observe that the admin panel is only accessible when logged in as theadministrator
user. - Select the payload of the JWT again. In the Inspector panel, change the value of the
sub
claim fromwiener
toadministrator
, then click Apply changes. - Send the request again. Observe that you have successfully accessed the admin panel.
- In the response, find the URL for deleting
carlos
(/admin/delete?username=carlos
). Send the request to this endpoint to solve the lab.
If you would like to support me so that I can create more free content — https://www.buymeacoffee.com/cyberw1ng
Thank you for Reading!
Happy Hacking ~
Author: Karthikeyan Nagaraj ~ Cyberw1ng
Telegram Channel for Ethical Hacking Dumps — https://t.me/ethicalhackingessentials