Home JWT Authentication Bypass -> Algorithm Confusion
Post
Cancel

JWT Authentication Bypass -> Algorithm Confusion

JWT Authentication Bypass -> Algorithm Confusion

JSON web tokens (JWTs) are a standardized format for sending cryptographically signed JSON data between systems. They can theoretically contain any kind of data, but are most commonly used to send information (“claims”) about users as part of authentication, session handling, and access control mechanisms. If the server is insecurely configured to accept unsigned jwts, attacker can modify jwt token to elevate his privileges. Algorithm confusion attacks (also known as key confusion attacks) occur when an attacker is able to force the server to verify the signature of a JSON web token (JWT) using a different algorithm than is intended by the website’s developers.

Exploitation

This webapp uses a JWT-based mechanism for handling sessions. It uses a robust RSA key pair to sign and verify tokens. However, due to implementation flaws, this mechanism is vulnerable to algorithm confusion attacks. We will first obtain the server’s public key. This is exposed via a standard endpoint and use this key to sign a modified session token that gives us access to the admin panel at /admin.

We will login with the following credentials wiener:peter.

jwt

jwt

We have logged in as wiener. We will refresh the page and intercept the request in burpsuite then visit this endpoint /jwks.json to retrieve public key of the server, which would be used to generate our symmetric key.

jwt

jwt

We will import jwk rsa key and retrieve the public key in .pem format, then encode the key in base64.

jwt

Now we will generate our symmetric key using the rsa public key as secret key.

jwt

Then modify and sign the token with the newly generated key, then forward the request to access admin interface.

jwt

jwt

jwt

We have accessed admin interface.

References

This post is licensed under CC BY 4.0 by the author.