Introduction how to Exploit JWT

Introduction how to Exploit JWT 


Introduction

Authentication and authorization make developer overthinking how to implement it correctly without any fear here came frameworks to recuse developer framework like Oauth and OpenID that control on both process (authentication & authorization) in these frameworks you could find new concept it’s JWT that is part of modern authentication frameworks used instead of cookies to keep track user session as we know http stateless protocol.

JWT

Json Web Token (JWT) is standardized validated and encrypted container format that is used to transfer information between parts.
The container format in definition refer to JWT structure, jwt has parties of information that must send with each message   , jwt it’s base64 encoding message consist of three parties Header , Payload and Signature each parts separated  by dot ( . )  .
Header this part use to describe cryptography algorithm use with jwt and encode as json and then base64

{ “type”:”jwt”, "alg": "HS256"  }

Payload    this part include all user interesting data  and encode as json and then base64
{ "is_admin": "false", "username": "guest" }
Signature  this part use to validated jwt message send by client validated by server by calc HMAC of payload with secret key
Sign=HMAC(Header+payload+secret_key)
{“sign” : ”<base64>”}
After we how jwt structure now we will see how to combine all these part
JWT= (base64url(header)) (dot) (base64url(payload)) (dot) (base64url(Sign)) 
dotà.



Serialization

The process of  jwt Serialization consist of encoding header , payload and signature with base64url.

Note

Base64url  it’s variation of base64 that use URL safe _ instead of + and / .

deserialization


the process of jwt deserialization consist of decoding header, payload and signature with base64url and extract algorithm from message and calc signature then compare it with that found in message if equal then pass decode payload to fetch resource.




Security vulnerabilities



As we know  jwt token it has signature calc to prevent it from tampering here came two ways to calc signature first  it’s use secret key (symmetric)  , second use private key to create signature and public to verify it (asymmetric) we going to explore each type and each vulnerabilities.

Symmetric (secret key)

This type of calc signature its vulnerable to expose secret key when jwt token must send to 3-party , the 3-party must have copy of secret key and it’s has problem with revoke key if want update key the secret key must update on every instances that use it , in this type of sign you could recognize it  with HS in alg value in header part.
Security vulnerability with this type of sign that you could change alg value in header part to none algorithm and leave out the signature.
{ "alg": "none", "type": "JWT" }



Asymmetric(public & private key)


This type of sign fixed two problems with Symmetric key like using single key and share it and second problem is key revoke this fixed with share public that make no matter if revoke happen or not because jwt has different type of claims as mention on RFC 7519 these claims use to control how to invoke key management in jwt those claims add in header part , claims like x5u claim intended to hold public key in format of an X509 certificate ,  jku claim is intended to hold URL which point to file contain key in json format  and finally jwk this claim design to hold public key in jwt and make every 3-party work with  public key to verify token.
This type of sign you could recognized it with RS in alg value in header part.
 This type of sign has security vulnerability in order to exploit it must do this steps:


Frist change RS to HS (RS256àHS256)

Second get public key and use it to sign token

In RS (asymmetric) private use to sign toke and public to verify token but when we change it to 

HS(Symmetric)  now verify token using public key as secret key.


Exploit JWT

you need
1- write python script  encode and decode JWT
2- burpsuite 

Change HS256 to none

In this scenario we have login page that let you login as guest by click on login as guest when you login as guest there jwt token send to you in cookie header but we want to login as admin here come magic by decode jwt and change alg to none and username to admin and encode it again in this scenario we use burp suite as proxy and python script to decode and edit jwt and encode it again





    1-  Login page





    2- login as guest 




  3- View jwt token issue in cookie header




 4- Use python script to decode jwt



  5- Edit jwt and encode it again



   6- Send jwt in cookie header



   7- Login as admin



soon they will be challenges in JWT combine with SQi,XXE,POI,command injection








thanks for reading



@intx0x80

Comments

Post a Comment

Popular posts from this blog

hacky holidays h1 CTF

Image
hacky holidays  h1 CTF this year Hackerone hosted CTF it's amazing CTF i will   write write up for  interesting challenges  Swag Shop Get your Grinch Merch! Try and find a way to pull the Grinch's personal details from the online shop this challenge it's 100% real life which in order to get flag we must enumeration grinch profile. first we must enumeration target page and do some spider pages by using burpsuite spider     after spider target you notice api   endpoints that use in application we must FUZZ endpoint to find hidden endpoints using burpsuite intruder or any tools you  like.   you notice user  endpoint status code and response message  and sessions endpoint which response with  JWT Tokens  which will going to decode it and find information using  jwt io .  after decode jwt tokens we find one has user name value          now back to user endpoint which we nee...
Read more

SECURECODE: 1 : OSWE Prep

Image
 SECURECODE: 1 : OSWE Prep SECURECODE: 1  it's OSWE Like machine which need to do some code reviwing and detect  vulnerabilities and chained together to gain final target which remote code execution (RCE).  VM:  SecureCode: 1 ~ VulnHub information about VM:  SecureCode1: an OSWE-like Machine | by Ahmed ElTijani | SUDOROOT | Medium   First we do some code review to detect vulnerabilities in source code  applications  http://192.168.122.112/source_code.zip. we go page under construction next we going to review directory structure. open http://192.168.122.112/login/index.php will redirect to login page. next will explore sql database dump which includes database structure and tables names which will help us to build queries to dump credentials from database. next will  import these sql databases backup in mysql  in order to  explore sql statment for this will use online solution  MySQL online - Test SQL queries (ext...
Read more

python input vulnerability

Image
python input vulnerability hi guys today i will show you how little mistake in write code can lead to expose data or RCE on sever . as we know python has function that take input from user can save it in variable . in python 2.x version we find input function   and it built-in function input in module __builtin__  let check what mean this method by using help(input) it 's  equivalent to eval(raw_input) ok raw_input it's another function take input from user but in input function it's add eval as we know eval it  function evaluates a string of text which is passed as its parameter, accepting possible second argument for the global values to use during evaluation. let make quick demo  and if we enter number it will display it but what if we enter 2+4 it will display 6 because it's use eval as part of input function as we see above from here we can use  __builtin__  module to get  som...
Read more