JWT Authentication Bypass via JWK Header Injection
JSON Web Tokens (JWTs) are a popular mechanism for securely transmitting information between parties as a JSON object. However, improper implementation or misconfiguration can lead to serious vulnerabilities. In this post, I’ll walk you through a lab where we exploit such a vulnerability to bypass JWT authentication via JWK header injection.
Lab Name: JWT Authentication Bypass via JWK Header Injection (Visit lab)
Objective: Modify and sign a JWT to gain unauthorized access to the admin panel and delete the user “carlos.”
In this lab, the server uses JWTs for session management and supports the jwk parameter in the JWT header. The flaw here is that the server doesn't verify if the provided key is from a trusted source. We'll exploit this vulnerability to gain administrative access.
Step 1: Logging in with Given Credentials
We start by logging in with the credentials wiener:peter. By capturing and analyzing the traffic in Burp Suite, we can inspect the JWT issued for our session.
Step 2: Analyzing the JWT
Using the JWT Editor extension in Burp Suite, we inspect the JWT to understand its structure. The token header shows the alg as RS256 and includes a kid value that the server uses to look up the key for verifying the signature.
Step 3: Attempting to Log in as Administrator
Next, we attempt to modify the JWT payload, changing the sub (subject) field to administrator. However, when we resend this token, the server rejects it and redirects us to the login page. This indicates that the server is validating the signature, so a simple payload modification isn't enough.
Step 4: Changing the Algorithm to None
We then try to bypass the signature check entirely by setting the alg field to none, which instructs the server to treat the JWT as unsigned. Unfortunately, this attempt also fails, as the server still doesn't accept the token.
Step 5: Generating a Custom RSA Key
Realizing that we’ll need to forge a valid signature, we generate a new RSA key using the JWT Editor in Burp Suite. We create a JWK (JSON Web Key) with a unique kid and use this key to sign the token.
- Explain the next step of setting the
algtononeto see if the server skips signature verification.
Step 6: Signing the JWT with the New Key
With our new RSA key, we modify the JWT header to include our kid and sign the token using the private key we've generated and click on attack>Embeded JWK. This time, when we resend the JWT, the server accepts it, and we successfully log in as the administrator.
- Mention that this also failed, as the server didn’t accept the token.
Step 7: Completing the Lab
Finally, we perform the action required to solve the lab: sending a request to delete the user “carlos”. With our forged JWT, we successfully complete this action, and the lab is marked as solved.
Conclusion
This lab highlights the critical importance of proper JWT validation in web applications. Trusting unverified JWKs can open the door to severe vulnerabilities, allowing attackers to forge tokens and gain unauthorized access. Always ensure that JWT implementations are secure, with proper verification of keys and signatures.
If you found this guide helpful, feel free to share it and follow me for more cybersecurity content. Have any thoughts or questions? Leave a comment below!
