JWT Auth Gone Wild: The Unexpected Twist!

Hey everyone after a long time I am back with another bug hunting writeup. This time the bug severity is low but I am always trying to escalate it’s impact. First let’s talk about the low bug which is based on JWT.

What is JWT?

So, JWT (JSON Web Token) is an open standard (RFC 7519) used to securely transmit information between parties as a JSON object. It is compact, URL-safe, and provides a way to verify the integrity and authenticity of the data.

It also consists three parts called:

HeaderPayloadSignature

Now I am not going in detail about it, you can always learn JWT from internet. Let’s dive into the bug real quick.

Now while testing I found a button which can delete a user’s account. Now let’s while clicking and intercepting the request I found that there was a JWT for the authorization of the user. If I change that JWT to that of users, then it will delete the user’s account.

Steps of Reproduction:

Attacker creates an account and logs in. Now he will see that there is a delete account button in the profile sectionThe delete account button is available

2. Attacker clicks on Delete Account and captures the request of it which and now plays with it

The request of the account deletion

3. Now the attacker replace the JWT token of the victim on the authorization

This is victim’s JWT

4. In the response it shows 200 that means the victims account is deleted which can be seen below

Victim account deletion confirmed

5. After putting the valid set of credentials victim is not able to login because the account is deleted

Account deleted so it is not able to login

And Bingo when this happened I was like

I submitted this bug and got the reply after a week stating that this submission is confirmed. However it is low severity because it is directly not possible to obtain the victim’s JWT and that too of the deletion.

The company’s response

That’s it for today I hope you liked it. If yes then do support me and follow me for more stuffs.

Follow for more:

LinkedIn: https://www.linkedin.com/in/akash-suman-7b95572a1/

Twitter: https://x.com/ProwlSec

YouTube: https://www.youtube.com/@ProwlSec

Instagram: https://www.instagram.com/ProwlSec

Thanks for reading!!!!