This post deals with the theory of Key Confusion Attack. Part2 deals with solving the JWT Lab by Sjoerd Langkemper to demonstrate the Key Confusion Attack.
JWT stands for JSON Web Token. After successful user authentication, the server sends a JWT in the response which can be used to make API calls or to access protected resources. It is typically used in the request header like
Authorization: Bearer JWT
A JWT looks like this and may not make any sense to bare eyes. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.Yrp55yopmWPtFlRNYKPAXTNgvEPGI7cuDgrBcVBZXzQ
It consists of 3 parts (base64 encoded) separated by dots.
1. Header
2. Payload
3. Signature
We can use a trusted online tool like https://jwt.io or a Burp Suite plugin like JSON Web Tokens to decode it and see the plain-text information inside it.
Two popular algorithms are used for generating the signature.
1. HMAC
2. RSA
HMAC uses a ‘password/secret’ along with the header and payload to generate the signature. It is this secret that makes JWT tamper-resistant. It’s assumed that an adversary does not know the secret and hence can’t forge a JWT. Otherwise, it is just SHA256 hash.
RSA uses a different approach. It uses a private key to generate the signature and the corresponding public key to verify the signature just like a digital signature.
The key confusion attack takes advantage of the weakness in some JWT libraries which trust the JWT header, although it is user-controlled.
Now consider this situation, the server uses RS256 algorithm to sign a JWT. I want to test if I can forge the signature of JWT i.e. generate a new signature using HS256 algorithm. First, I change the signing algorithm to HS256 from RS256. With the HS256 algorithm, I need a ‘password/secret’ to generate the signature. Can I just pick some random ‘password/secret’ of my choice? NO.
We must use the public key which is used for verifying the signature. We can ask the application owners or developer to provide us the public key and it’s not a crime we are just asking for the public key, not the private key! We can use the Burp Suite plugin JSON Web Token Attacker (JOSEPH) to forge a signature. In part2 we discuss how to do that. Now we have a JWT with a forged signature which was created using the public key as ‘password/secret’ and HS256 algorithm.
The JWT with the forged signature as obtained above is sent to the server. The JWT library which processes the request trusts the JWT Header. It feels that HS256 was used to generate the signature. The following code now uses the HS256 algorithm to calculate the signature using the public key.
jwt = JWT.decode(token, public key)
Since JWT was already signed using the public key the signature verification by the application is successful leading to a successful key confusion attack. An attacker can now create JWT and sign it with the public key to bypass the authentication completely.
References
1. Attacking-JWT-Authentication
2. JWT-Attack-Walk-Through
