22.2 Lab: JWT authentication bypass via flawed signature verification | 2023

This lab uses a JWT-based mechanism for handling sessions. The server is insecurely configured to accept unsigned JWTs. To solve the lab, modify your session token to gain access to the admin panel at /admin, then delete the user carlos | Karthikeyan Nagaraj

Karthikeyan Nagaraj
2 min readNov 13, 2023

Description

This lab uses a JWT-based mechanism for handling sessions. The server is insecurely configured to accept unsigned JWTs.

To solve the lab, modify your session token to gain access to the admin panel at /admin, then delete the user carlos.

You can log in to your own account using the following credentials: wiener:peter

Solution

  1. Log in to your Account using wiener:peter
  2. Copy the Session Cookie using Cookie Editor
  3. Navigate to token.dev and paste the JWT cookie that you Copied
  4. Change the Header Values like as below
{
"type": "JWT",
"alg": "none"
}

5. Change the Value of sub from wiener to administrator and Copy the JWT String (Modified Cookie)

6. Go to Lab’s page →Click on Cookie Editor → Click on the Session cookie →Paste the string that we copied → Click Save

7. Refresh the Page, Now you will be able to see the admin Panel

8. Click on the Admin panel and click delete Carlos to Solve the Lab

If you would like to support me so that I can create more free content — https://www.buymeacoffee.com/cyberw1ng

Thank you for Reading!

Happy Hacking ~

Author: Karthikeyan Nagaraj ~ Cyberw1ng

Telegram Channel for Ethical Hacking Dumps — https://t.me/ethicalhackingessentials

--

--

Karthikeyan Nagaraj

Entrepreneur | Writer | Cyber Security Consultant | AI Researcher