In this post, we are going to solve the lab “JWT authentication bypass via weak signing key”:
The first thing to do is start the lab:
Once we start it, we go to “My account” and log in with the credentials provided in the description:
Once we have logged in, whether with Burp Suite, developer tools, or in this case, the Cookie Editor extension, we can see that a JWT has been assigned to us:
We can decode it on JWT.io:
If we look at this JWT, the HMAC algorithm is being used, specifically HS256. This means that the signature and its verification are done through a key.
The interesting thing about this is that it’s as if we had the hash of a password, meaning we can try to crack the “secret” that was used to sign the JWT. If we obtain it, we will be able to sign JWT tokens that are valid for the server and, likewise, we will be able to edit them.
To perform the brute force attack, we can use the jwtear tool:
jwtear bruteforce -t <JWT> -l <dictionary>
In this case, the server used the word “secret1” to sign the JWT tokens. Now that we know the word used to sign the tokens, we can try to edit a JWT to our benefit and sign it using “secret1”:
We have changed the user from “wiener” to “administrator” so that, in case the signature works and the “administrator” user exists, we can become them.
If we now replace our JWT with the JWT we just generated and refresh:
We become administrator users :), all due to the use of a weak “secret” in the JWT signature.
Now, to complete the lab, we simply go to the administration panel and delete the “carlos” user:
This way, the lab is now completed:
JWTear is not the only tool that can be used for JWT brute force attacks, with a little searching we can find countless others:
We can also find dictionaries for brute force attacks:
SecLists also has a dictionary:
