JWT Authentication Bypass leads to Admin Control Panel

🍪From a simple cookie it became a benchmark and then an Accont takeover 😈

➡️For legal reasons, I will not reveal the website or the Bug Bounty program.

I found this vulnerability about a few months ago, it was a “simple” mistake that I managed to access the Admin panel of a very well-known site. And I have permission to publish this…

For those who don’t know, the JWT (JSON Web Token) is an authentication method widely used for authentication, formerly cookies (still used) but usually a JWT is more common, they can be accompanied (and should all be) with a signature that is signed by the server, and it is this signature that validates that the JWT is in fact valid

JWT FormatHeader: Defines the type of token and the signature algorithm.Payload: Contains valuable information such as authentication informationSignature: Signs the token using a secret key that the server uses to validate it.

Normally a JWT comes encoded in base64…

eyJzdWIiOiAiMTIzNDU2Nzg5MCIsICJuYW1lIjogIkpvaG4gRG9lIiwgImVtYWlsIjogImpvaG5kb2VAZXhhbXBsZS5jb20iLCAiYWRtaW4iOiB0cnVlLCAiaWF0IjogMTYwOTQ1OTIwMH0

Decoded (from the example above):

{
"sub": "1234567890",
"name": "John Doe",
"email": "johndoe@example.com",
"admin": true,
"iat": 1609459200
}

You’re probably wondering what could be done… If someone changed something like that. But that’s where it gets complicated, because the server, as I said, checks by subscription.

Let’s get practical!

The question of the day is… Is it still possible for something as basic as a JWT to be vulnerable in 2024?

When you enter our domain, you usually get a “default” ID, such as guest or anonymous, which is to be expected…

GET https://www.example.com/

Response

No JWT comes, normal, we’re not logged in or anything that needs a JWT

But of course the server would start tagging us with something…

<script>var atlasCode = "eyJhIjo5NDk2LCJjIjo0NDQ3MzM2NCwibiI6MjEsInMiOjI0MSwiZSI6ODUzLCJwIjozfQ==";</script>

This isn’t for authentication, it’s more to track where the user is, on which page, more like a tracker…

After I created an account, a cookie was set to validate that I am me because I am me.

Set-Cookie: MDH=%21eyJvX2dlbmRlciI6IkEiLCJpc0xvZ2dlZCI6Im4iLCJscGFnZWlkIjo3LCJra0lEIjo4OTg3NiwibGFuZyI6InVzIiwibGFuZCI6ImRlIiwiU0lEIjoiMCIsIkNPTiI6IjE0MTYwMTAwMCIsIkxPR0lOIjoiaiIsIk1ESF9VX0lEIjoiMTMwOTgyMDUxIiwibmljayI6ImhvaGt5dGVzdCIsImVtYWlsIjoiaG9oa3lAYnVnY3Jvd2RuaW5qYS5jb20iLCJnZW5kZXIiOiJNIiwiTE9HSU5USU1FIjoxNzI4OTA4MzY3fQ%3D%3D%24f46a10d0ab6db8eebcd4c7afac6a4d332be8b4bf;

Let’s make it simple… 🥸

Using a tool from Burp Suite, I can visualize what’s in the JWT more clearly:

JWT Decoded

I can’t just change a parameter like ‘u_id’ because that will change the JWT and the signature won’t be valid.

The signature is valid. If I don’t change it.

On the right-hand side, I have a few attacks to try out and a simple change like changing the nickname and the “u_id”…

THE JWT KEEP VALID!!!

I did an admin action with no real impact on the server or users, just on me, and it worked…

It’s my IDThe body of request & response

I apologize that the post was very illustrated and lacked technical details. 😪

I hope I’ve helped someone or reminded them that something simple is still valid!

🫠Changes to a JWT can make a difference, such as not adding an algorithm, as in this vulnerability.