JWT Authentication Bypass -> None Algorithm
JSON web tokens (JWTs) are a standardized format for sending cryptographically signed JSON data between systems. They can theoretically contain any kind of data, but are most commonly used to send information (“claims”) about users as part of authentication, session handling, and access control mechanisms. If the server is insecurely configured to accept unsigned jwts, attacker can modify jwt token to elevate his privileges.
Exploitation
This webapp uses a JWT-based mechanism for handling sessions. The server is insecurely configured to accept unsigned JWTs. We are going to modify our session token to gain access to the admin panel at /admin.
We will login with the following credentials wiener:peter.
We have logged in as wiener. We will refresh the page and intercept the request in burpsuite.
.
We will modify the value of alg to none, sub to Administrator and then delete the signature. alg is a header that tells the server which algorithm to use, in this case we use none which means no algorithm was used to sign the token and so no algorithm will be used to verify it, therefore, it tells the server to skip the verification of the token.
We have accessed admin interface.