Most web application developers use third party components without testing their security. Some of the past affected companies are:
Equifax (a US credit bureau organization) - breach due to unpatched Apache Struts web framework CVE-2017-5638
Mossack Fonesca (Panama Papers law firm) breach - unpatched version of Drupal CMS used
VerticalScope (internet media company) - outdated version of vBulletin forum software used
Can you identify the components and exploit the vulnerable one? The website is running here. Can you become an admin?
You can login as test with the password Test123! to get started.
🎯 Challenge Files & Infrastructure
Provided Files
1
Files:None
🔍 Initial Analysis
First Steps
Initially, the website appears as follows:
Site Presentation
Trying to log in with the credentials provided in the challenge description username=test and password=Test123!, since the title of the challenge JAuth reminds me of JWT, I immediately checked the cookies:
Login
Indeed, there is a token cookie, which is a JWT. We can confirm this with https://jwt.io:
Jwt.io
As with most JWT challenges, the goal will be to change the role from user to admin. Let’s proceed with the exploitation.
🔬 Vulnerability Analysis
Potential Vulnerabilities
JWT None Algorithm Confusion
🎯 Solution Path
Exploitation Steps
Initial setup
Since no attached files or other data are provided, the most basic thing related to JWT is the none algorithm. In fact, there is the possibility to specify the alg (algorithm) used to sign the JWT as none, which is a valid algorithm that does not require a signature. Sometimes there are no checks on this type of algorithm, and it allows the user to forge a JWT token by changing parameters and possibly authenticate as admin. To do this, the first thing to do is remove the signature from the JWT (everything after the last .). I extracted the following JWT from the page by logging in:
As we can see, the JWT contains three . that separate the header, the payload, and the signature. When the none algorithm is specified, there must always be three .; otherwise, the basic structure of the JWT would be corrupted. Therefore, we can completely remove the signature, as it is not needed when the none algorithm is used:
The exploitation phase is based on changing the value of alg to none as the first step. By default, JWTs are base64 encoded, so we can use bash, cyberchef, or any decoder to extract the plain text:
CyberChef
Now we can take the header plain text, modify the value of alg to none, and base64 encode it:
CyberChef Header
As we can see, we have obtained a valid header to forge the JWT with administrator privileges:
1
eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0
Now we just need to set the role to admin using the same procedure:
Once the valid JWT is obtained with the role set to admin, we can use ChromeDevTools to change the token cookie by setting its value to the newly forged JWT. After refreshing the page (F5), we will get the flag.
Flag capture
Manual Flag
🛠️ Exploitation Process
Approach
The automated exploit logs in with a POST request, extracts the token, and modifies the alg to none and the role to admin. Then, it makes a GET request to /private with the forged token, logging in as admin and extracting the flag from the response using a regex.
I have learned that with JWTs, you can try specifying the none algorithm and remove the signature by changing some parameters, obtaining a valid JWT if there is no proper check in place.
