JWT Exploit “KID” | Privilege Escalation | Ishara Abeythissa

Hello everyone, today we will look at another intriguing method of hacking JWT Tokens utilizing the (ab)using the kid claim and use it to obtain privilege escalation.

Introduction

Let me give you a quick overview of JWT.

A JWT Token is made up of three parts:

1. Header
2. Payload
3. Signature

Figure 01 — JWT Token

Header part generally consists of two parts: the kind of token, which is often JWT, and the signature technique used, which is typically HMAC SHA256 or RSA. The JSON is then Base64Url encoded to produce the first component of the JWT.

Payload will hold the majority of our JWT, also known as the JWT Claims. This is where we will store the data that we wish to send as well as additional information about our token.

Signature will be the third and last component of our JSON Web Token. This signature is composed of a hash of the following elements:

Exploitation

Figure 02 — Vulnerable Website

In this case, I enrolled as a regular user. name venom.

Figure 03 — Auth Cookie

As seen in Figure 03, the JWT token is initialized on the AUTH cookie.

Let’s decode JWT

Header — {“typ”:”JWT”,”alg”:”RS256",”kid”:”http://localhost:7070/privKey.key"}

Payload — {“username”:”venom”,”email”:”test@test.com”,”admin_cap”:0}

The “kid” (key ID) Header Element provides information about which key was being used to encode the JWS (JSON Web Signature).

Indicate admin capabilities attribute as 0 for this user in the payload section.

Since the attacker can modify the kid header parameter, attacker can mention any values in there.

However, the problem is that after changing the values, the signature would be invalid.

It has been confirmed via analysis, RSA 256 technique is used in the JWT signature.

{“typ”:”JWT”,”alg”:”RS256",”kid”:”http://localhost:7070/privKey.key"}

As seen in the header section, the kid value holds the private key route for the RSA 256 algorithm mechanism. What happens if we supply our own private key and adjust the JWT token?

As a following step, I’ll generate RSA private and public keys for use in the attack.

Figure 04 — Generating RSA Keys

As a further step, I’ll deploy a HTTP server to make keys available.

Figure 05 — Deploy HTTP Server

After, I have been created a simple python script for tamper JWT token with admin privileges.

Figure 06 — Python Script

Figure 06 shows how I changed the KID and admin cap settings to get admin rights. Utilizing our new private key script, we’ll be able to produce a legitimate new signature for changed data.

Let’s generate our golden ticket :)

Figure 07 — New JWT Token

Let us enter a token into BURP and see whether we have admin access.

Figure 08 — Provide New Token to Burp

Figure 09 -Admin Panel

As shown in the upper right corner, the Admin Panel choices have been activated.

I hope you enjoyed it.

Please give us a thumbs up and stay tuned for future stories.