JWT Authentication Bypass via kid Header Path Traversal

Показать описание

👩‍🎓👨‍🎓 Learn about JSON Web Token (JWT) vulnerabilities. In order to verify the signature, the server uses the 'kid' (key ID) parameter in JWT header to fetch the relevant key from its filesystem. To solve the lab, we'll forge a JWT that provides access to the admin panel, then delete the user carlos.

Overview:
0:00 Intro
0:13 Recap
0:38 JWT header parameter injections
1:30 Injecting self-signed JWTs via the kid parameter
3:30 Other interesting JWT header parameters
5:02 Lab: JWT authentication bypass via kid header path traversal
6:11 Solution #1: python
7:32 Solution #2: burp suite
10:45 Solution #3: jwt_tool
13:39 How to prevent JWT attacks
14:22 Additional best practice for JWT handling
14:44 Conclusion

Рекомендации по теме

Комментарии

FIRST ! I am appreciative of all the JWT attack coverage.

MichaelCooter

One possible way is also in Burp Suite -> JSON Web Token -> Attack -> Sign with Empty Key -> Send to /admin.

ShahriyarRzayev

I'm wondering whether using a kid value in JWT for path traversal actually happens in real-world applications? From my understanding, kid is typically just an ID used to look up the key, not a file path.
Also, are there any clear signs that a server is reading a file from the filesystem based on the kid value?

nhoclahola

hey bro it seems my jwt editor extension is not working. whenever i try to resign with the key i generated it just doesnt get resigned.
i found another way to solve this.

sumanth

I have one Jwt token.. It was free token... And and i need to modify that to vip token... Is this possible to edit??? If signature changed the server said token not provided in return response

niranjantechintelugu

I've figured that out why it says 302. It's because of `?id=weiner` . You need to remove it and send the request.
Or
You have to directly send the request to /admin

rahisec

JWT Authentication Bypass via kid Header Path Traversal

JWT Authentication Bypass via kid Header Path Traversal

JWT authentication bypass via kid header path traversal | PortSwigger Academy tutorial

JWT Attack Lab06# JWT authentication bypass via kid header path traversal - Web Security Academy

JWT authentication bypass via kid header path traversal

Web Security Academy | JWT | 6 - JWT Authentication Bypass Via Kid Header Path Traversal

JWT Attacks #6 - JWT authentication bypass via kid header path traversal

JWT authentication bypass via kid header path traversal

JWT authentication bypass via kid header path traversal | JWT Attacks | PortSwigger

JSON Web Token Attacks: LAB #6 - JWT Authentication Bypass Via kid Header Path Trasversal

JWT authentication bypass via kid header path traversal

JWT authentication bypass via kid header path traversal

Lab: JWT authentication bypass via kid header path traversal

22.6 Lab: JWT authentication bypass via kid header path traversal - Karthikeyan Nagaraj | 2024

Portswigger Lab: JWT authentication bypass via kid header path traversal

JWT Lab06

Account Takeover by JWT Authentication Bypass via kid Header Path Traversal 🔥Case Study🔥Debraj Basak...

Lab: JWT authentication bypass via unverified signature Talked Walk through

PortSwigger - JWT authentication bypass via kid header path traversal | Quick Solution

JWT Authentication Bypass via Unverified Signature

LAB JWT Lab: JWT authentication bypass via flawed signature verification

JWT authentication bypass via unverified signature — Portswigger Simple Solution Writeup | 2023

JWT Attack Lab07# authentication bypass via algorithm confusion - Web Security Academy

JWT authentication bypass via algorithm confusion

JWT Authentication Bypass via Algorithm Confusion