JWT Authentication Bypass via jku Header Injection

Опубликовано: 10 Июль 2023
на канале: Intigriti

5,443

👩‍🎓👨‍🎓 Learn about JSON Web Token (JWT) vulnerabilities. The server supports the jku (JWK Set URL) parameter in the JWT header. However, it fails to check whether the provided URL belongs to a trusted domain before fetching the key. To solve the lab, we'll forge a JWT that provides access to the admin panel, then delete the user carlos.

Overview:
0:00 Intro
0:13 Recap
0:37 JWT header parameter injections
1:30 Injecting self-signed JWTs via the jku parameter
2:20 URL parsing discrepencies (filer bypass)
3:41 Lab: JWT authentication bypass via jku header injection
4:39 Solution #1: python
7:13 Solution #2: burp suite
11:00 Solution #3: jwt_tool
12:47 Conclusion

If you're struggling with the concepts covered in this lab, please review the Introduction to JWT Attacks video first: • Introduction to JWT Attacks 🧠
For more information, check out https://portswigger.net/web-security/jwt

🔗 Portswigger challenge: https://portswigger.net/web-security/...

🧑💻 Sign up and start hacking right now - https://go.intigriti.com/register

👾 Join our Discord - https://go.intigriti.com/discord

🎙️ This show is hosted by / _cryptocat ( ‪@_CryptoCat‬ ) & / intigriti

👕 Do you want some Intigriti Swag? Check out https://swag.intigriti.com

🐍 Python scripts demonstrated in this series can be found here: https://github.com/Crypto-Cat/CTF/tre...