JWT Authentication Bypass -> Unverified Signature

JWT Authentication Bypass -> Unverified Signature

JSON web tokens (JWTs) are a standardized format for sending cryptographically signed JSON data between systems. They can theoretically contain any kind of data, but are most commonly used to send information (“claims”) about users as part of authentication, session handling, and access control mechanisms. If the server doesn’t verify the signature properly, there’s nothing to stop an attacker from making arbitrary changes to the rest of the token.

Exploitation

This webapp uses a JWT-based mechanism for handling sessions. Due to implementation flaws, the server doesn’t verify the signature of any JWTs that it receives. We are going to modify our session token to gain access to the admin panel at /admin.

We will login with the following credentials wiener:peter.

We have logged in as wiener. We will refresh the page and intercept the request in burpsuite.

Let’s attempt to access admin interface

As you can see, we didn’t have permission to access admin interface. We need to login as administrator.

We will decode the jwt token.

Here, the value of sub was wiener, which was our username. Let’s change it to administrator.

As you can see, we were able to login as administrator because the server didn’t verify the signature.

References

• https://portswigger.net/web-security/jwt