Shulou(Shulou.com)05/31 Report--

Many novices are not very clear about how to tamper with JWT to achieve account hijacking. In order to help you solve this problem, the following editor will explain it in detail. People with this need can come and learn. I hope you can gain something.

JSON Web Token (JWT) is a compact and independent method for securely transmitting information between network applications in the form of JSON based on the RFC 7519 standard, which is especially suitable for single sign-on (SSO) scenarios in distributed sites. The attribute information carried by JWT is used to authenticate between the client and the server through the electronic signature of the HMAC algorithm, and the default signature algorithm is HMAC SHA256.

The structure of JWT

JWT is mainly composed of three parts. Separate, they are:

Header (head)

Payload (load)

Signature (signature)

The style is:

Xxxxx.yyyyy.zzzzz

No need for token for email address verification

Here's the loophole I found. By making use of the invitation function of the target system and modifying the JWT token information carried in it, the user's e-mail address and identity can be verified without clicking the confirmation link. Suppose I have an email address of attacker@attacker.com, and then I initiate an invitation to that email address in the invite function of the target website. Next, after I log in to the email attacker@attacker.com, I will receive a confirmation link in the inbox with JWT in the form of URL. The response to this process in Burp is as follows:

The confirmation link for carrying JWT in URL form that I received in my inbox is as follows:

After the link, there is a string of JWT token. Through the website https://jwt.io/, the result of decoding the JWT token is as follows:

At this point, the first thing I can think of is to try to use the above invitation feature to invite the corresponding mailbox admin@company.com of the target website administrator. After the operation, the response message in Burp is as follows:

Then, I also received a URL link with JWT in my inbox. Through the JWT encoding and decoding operation, I tried to change the attacker@attacker.com of my own invitator to admin@company.com, the id in it to admin's ID, and its timestamp ("created date": "xxxxxxxx") to generate a new JWT again. With this JWT, I can confirm the identity of the user and reset the company administrator user password corresponding to the mailbox admin@company.com.

Therefore, the extended credential information of the JWT can be used later to log in to the SSO interface of different business sides of the target website company, such as business support.

Reset other user passwords

Because this method needs to know the ID number information of the victim user of the other party, it is not suitable for any user, and it is still difficult to use it, but at least I can verify the vulnerability by registering two users. For example, if you register a test user with another mailbox (assuming Victim), you can see from the account information that the user's id is: jyAzV7KhT, and then I use my previous attacker@attacker.com to initiate a password reset request, and then receive a reset link with JWT from my email attacker@attacker.com, as follows:

Decrypt the JWT in https://jwt.io/ 's JWT decoding tool, get the specific three parts of JWT in the Decode area on the right, and then change the id to the id:jyAzV7KhT of the Victim account. In this way, the password reset JWT for the Victim account is generated. After putting it into the above URL confirmation link, you can change the Victim account password!

Cause of loophole

The target website generates the JWT on the client side, which leads to the risk that the JWT can be tampered with by the client side. The safe way is to put the JWT on the server side to generate.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.