Open in app

Sign in

Write

Sign in

22.6 Lab: JWT authentication bypass via kid header path traversal

This lab uses a JWT-based mechanism for handling sessions. In order to verify the signature, the server uses the kid parameter in JWT header to fetch the relevant key from its filesystem. To solve the lab, forge a JWT that gives you access to the admin panel at /a dmin, then delete the user carlos. You can log in to your own account using the following credentials: wiener:peter | Karthikeyan Nagaraj

Karthikeyan Nagaraj
2 min readMay 19, 2024

Description

This lab uses a JWT-based mechanism for handling sessions. In order to verify the signature, the server uses the kid parameter in JWT header to fetch the relevant key from its filesystem.

To solve the lab, forge a JWT that gives you access to the admin panel at /admin, then delete the user carlos.

You can log in to your own account using the following credentials: wiener:peter

Tip

We recommend familiarizing yourself with how to work with JWTs in Burp Suite before attempting this lab.

Solution

Generate a suitable signing key

  1. In Burp, load the JWT Editor extension from the BApp store.
  2. In the lab, log in to your own account and send the post-login GET /my-account request to Burp Repeater.
  3. Go to the JWT Editor Keys tab in Burp’s main tab bar.
  4. Click New Symmetric Key.
  5. In the dialog, click Generate to generate a new key in JWK format.
  6. Replace the value for the k with a Base64-encoded null byte (AA==). Click OK to save the key.

Modify and sign the JWT

  1. Go back to the GET /admin request in Burp Repeater and switch to the extension-generated JSON Web Token message editor tab.
  2. In the header of the JWT, change the value of the kid parameter to a path traversal sequence pointing to the /dev/null file:
    ../../../../../../../dev/null
  3. In the JWT payload, change the value of the sub claim to administrator.
  4. At the bottom of the tab, click Sign, then select the symmetric key that you generated in the previous section.
  5. Make sure that the Don’t modify header option is selected, then click OK.
  6. Send the /admin/delete?username=carlosrequest and observe that you have successfully deleted the user carlos.

A YouTube Channel for Cybersecurity Lab’s Poc and Write-ups

Cyberw1ng

Learn Cyber Security and Create Awareness ~ cyberwing Stay tuned with me, Subscribe, and Like the Videos… Ask Doubts…

www.youtube.com

Telegram Channel for Free Ethical Hacking Dumps

Ethical Hacking Dumps — CEH, OSCP, Comptia

Materials and Books for Ethical Hacking Exams like CEH v12, OSCP, Comptia Pentest+, Comptia Security+, Comptia Network+…

t.me

Thank you for Reading!

Happy Ethical Hacking ~

Author: Karthikeyan Nagaraj ~ Cyberw1ng

Cybersecurity
Careers
Hacking
Bug Bounty
Penetration Testing

--

--

Karthikeyan Nagaraj

Written by Karthikeyan Nagaraj

8.3K Followers

Security Researcher | Bug Hunter | Web Pentester | CTF Player | TryHackme Top 1% | AI Researcher | Blockchain Developer

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams