JWT Authentication Bypass -> Weak Signing Key

JWT Authentication Bypass -> Weak Signing Key

JSON web tokens (JWTs) are a standardized format for sending cryptographically signed JSON data between systems. They can theoretically contain any kind of data, but are most commonly used to send information (“claims”) about users as part of authentication, session handling, and access control mechanisms. If the server uses weak secret key, attacker can easily guess or brute-force the secret key which will allow him to modify and sign the jwt token.

Exploitation

This webapp uses a JWT-based mechanism for handling sessions. It uses an extremely weak secret key to both sign and verify tokens. This can be easily brute-forced using a wordlist of common secrets. We are going to brute-force the website’s secret key and use it to sign a modified session token that gives us access to the admin panel at /admin.

We will login with the following credentials wiener:peter.

We have logged in as wiener. We will refresh the page and intercept the request in burpsuite.

We will copy the jwt session cookie and crack it with hashcat.

hashcat -a 0 -m 16500 <YOUR-JWT> /path/to/jwt.secrets.list

Great!. We got the secret key secret1. We are going to generate jwt symmetric key using our secret key secret1 and then sign our modified token with our generated key.

Now we have modified our jwt session token, we will try to access admin interface.

Done!.

References

• https://portswigger.net/web-security/jwt