Exploiting JSON Web Tokens

-
JSON Web Tokens (JWT) are used primarily for authentication. When a user logs into a website successfully, the user is assigned a JWT in a cookie. These tokens offer users security mechanisms such as encryption and a signature. Additionally, JWT's follow the pattern of Base64(Header).Base64(Data).Base64(Signature). When headers are unsigned, attackers can manipulate it by changing the algorithm that is used in the signature of the JWT. In order to sign a header, the header itself needs to verify the signature and in turn, the signature needs to verify the header.
"JWTs generally have three parts: a header, a payload, and a signature. The header identifies which algorithm is used to generate the signature, and looks something like this:
header = '{"alg":"HS256","typ":"JWT"}'
HS256 indicates that this token is signed using HMAC-SHA256.
The payload contains the claims that we wish to make:
payload = '{"loggedInAs":"admin","iat":1422779638}'
As suggested in the JWT spec, we include a timestamp called iat, short for "issued at".
The signature is calculated by base64url encoding the header and payload and concatenating them with a period as a separator:
key = 'secretkey'
unsignedToken = encodeBase64(header) + '.' + encodeBase64(payload)
signature = HMAC-SHA256(key, unsignedToken)
To put it all together, we base64url encode the signature, and join together the three parts using periods:
token = encodeBase64(header) + '.' + encodeBase64(payload) + '.' + encodeBase64(signature)
# token is now:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsb2dnZWRJbkFzIjoiYWRtaW4iLCJpYXQiOjE0MjI3Nzk2Mzh" (McLean, 2015).
There are a handful of signature methods that can be utilized to ensure the integrity of the JSON web tokens. These include:
  • RSA based
  • Elliptic curves
  • HMAC
  • None
More from Tim McLean:
“The none algorithm is a curious addition to JWT. It is intended to be used for situations where the integrity of the token has already been verified. Interestingly enough, it is one of only two algorithms that are mandatory to implement (the other being HS256).
Unfortunately, some libraries treated tokens signed with the none algorithm as a valid token with a verified signature. The result? Anyone can create their own "signed" tokens with whatever payload they want, allowing arbitrary account access on some systems.
Putting together such a token is easy. Modify the above example header to contain "alg": "none" instead of HS256. Make any desired changes to the payload. Use an empty signature (i.e. signature = "").
Most (hopefully all?) implementations now have a basic check to prevent this attack: if a secret key was provided, then token verification will fail for tokens using the none algorithm. This is a good idea, but it doesn't solve the underlying problem: attackers control the choice of algorithm.”
To exploit this vulnerability, I will use a lab from PentesterLab (http://pentesterlab.com) that provided a vulnerable web application. Additionally, I used Kali Linux (see version below), and Burp Suite. The steps followed for this exploit are below. Lastly, the FoxyProxy Mozilla Firefox web extension was used to route all traffic through the Burp Suite proxy (https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/)


Step One: Register as a new user


Step 2: Configure Burp Suite and FoxyProxy to listen on port 8181


Step 3: Refresh the browser to collect all of the HTTP traffic. Once collected, send the JSON web token to the repeater. (For this exercise, it is not necessary to have the interceptor enabled).


Step 4: Send the request and confirm you are logged in
Add caption
Step 5: Send the JWT to the decoder


Step 7: Decode the header to Base64

Step 8: Decode the data to Base64. Add an = sign at the end of the data and decode as Base64. As you can see, I am currently logged in as “testing”

Step 9: Change the algorithm from “HS256” to “None” and the login from “testing” to admin.


Step 10: Highlight the header and encode as Base64.


Step 11: Highlight the data and encode as Base64.

Step 12: Delete the signature portion of the re-encoded payload. Leave the trailing decimal point.

Step 13: Copy the new payload and replace the JWT in the repeater with the new one

Step 13: Click Go

Comments

Post a Comment

Popular posts from this blog

Master Port List

-
TCP  0  Reserved TCP  1  Port Service Multiplexer TCP  2  Management Utility TCP  3  Compression Process TCP  4  Unassigned TCP  5  Remote Job Entry TCP  6  Unassigned TCP  7  Echo TCP  8  Unassigned TCP  9  Discard TCP  10  Unassigned TCP  11  Active Users TCP  12  Unassigned TCP  13  Daytime (RFC 867) TCP  14  Unassigned TCP  15  Unassigned [was netstat] TCP  16  Unassigned TCP  17  Quote of the Day TCP  18  Message Send Protocol TCP  19  Character Generator TCP  20  File Transfer [Default Data] TCP  21  File Transfer [Control] TCP  22  SSH Remote Login Protocol TCP  23  Telnet TCP  24  any private mail system TCP  25  Simple Mail Transfer TCP  26  Unassigned TCP  27  NSW User System FE TCP  28  Unas...
Read more

Reflected Cross Site Scripting (XSS) Attacks

-
Image
According to the Open Web Application Security Project's (OWASP) Top 10 list for 2017, cross site scripting (XSS) is a major security concern ( https://www.owasp.org/index.php/Top_10_2017-Top_10 ).  OWASP defines XSS as flaws that "occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user supplied data using a browser API that can create JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites ( https://www.owasp.org/index.php/Top_10_2017-Top_10 ). Essentially, XSS allows an attacker to inject JavaScript code into a page. JavaScript is a client-side scripting language. With XSS, the JavaScript code is executed when the page loads and is executed on the client machine not the server. There are three types of XSS attacks: Stored XSS Attacks - These types of attacks are als...
Read more

Installing and Configuring WebGoat

-
Image
After doing some research, I found WebGoat. WebGoat is a deliberately insecure web application developed by the Open Web Application Security Project (OWASP) and was developed to teach users how to learn web application penetration testing. More information on OWASP can be found at https://www.owasp.org . To install WebGoat, the following is needed: Linux (for my purposes, I am using Kali Linux) https://www.kali.org/downloads/   Apache Tomcat http://tomcat.apache.org/ WebGoat https://s3.amazonaws.com/webgoat-war/webgoat-container-7.0-SNAPSHOT-war-exec.jar Java https://www.java.com/en/download/help/linux_x64_install.xml It is important to note that many Linux systems come preconfigured with Java out of the box. An easy way to find out is by running the simple command java -version The architecture of WebGoat is very simple. The diagram below shows exactly what is required (other than the Java dependency). Steps to Installing and Configuring WebGoat ...
Read more