In this video walk-through, we covered JSON Web Tokens and its associated vulnerabilities. In JWT, the signature can be changed or the header to bypass authentication controls. This video is part of ZTH: Obscure Web Vulns room from TryHackMe.

Json Web Token’s are a fairly interesting case, as it isn’t a vulnerability itself. Infact, it’s a fairly popular, and if done right very secure method of authentication. The basic structure of a JWT is this, it goes “header.payload.secret”, the secret is only known to the server, and is used to make sure that data wasn’t changed along the way. Everything is then base64 encoded. so an example JWT token would look like "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"

Meaning that if we are able to control the secret, we can effectively control the data. To be able to do this we have to understand how the secret is calculated. This requires knowing the structure of the header, a typical JWT header looks like this {“typ”:”JWT”,”alg”:”RS256″}. We’re interested in the alg field. RS256 uses a private RSA key that’s only available to the server, so that’s not vulnerable. However, We can change that field to HS256, This is calculated using the server’s publique key, which in certain circumstances we may have access too.

Obtenir les notes du certificat OSCP


Qu'est-ce que le drapeau ?

Vidéo pas à pas

A propos de l'Auteur

Je crée des notes de cybersécurité, des notes de marketing numérique et des cours en ligne. Je fournis également des conseils en marketing numérique, y compris, mais sans s'y limiter, le référencement, les publicités Google et Meta et l'administration CRM.

Voir les Articles