In Part1 we discussed the Key Confusion Attack. In this post we will use a vulnerable JWT application by Sjoerd Langkemper to demonstrate the attack.
Install the JSON Web Token Attacker (JOSEPH) extension from the Burp Suite store (Extender Tab in Burp Suite) and head over to the blog. Click on this RS256 demo page to go to the lab.
Copy the JWT and paste it under JOSE input of JOSEPH Burp extension and click load. Again select Key Confusion from the dropdown and hit load. We are going to use the public key to generate the signature using the HS256 algorithm and the public key can be obtained from here. In regular penetration testing assignment check with the application team for the public key. Remember that this must be the same key the server uses to verify the signature.
Select the first payload and click on update to get the new JWT with a forged signature. Copy the updated JWT.
Paste the updated JWT in the lab’s input field and hit ‘Send JWT’. Observe the error message ‘Signature verification failed.’
Go back to the JOSEPH Burp extension and repeat the steps with the next payload in the dropdown. Continue the steps till you have found a solution or exhausted all the payloads. Observe that for payload Public Key Transformation 04 (0x04) we get a valid JWT response.
This confirms that the JWT implementation is vulnerable to Key Confusion Attack and the JWT can be tampered with and still be accepted by the server.
Note 1: Just in case you get an error message ‘Expired Token’ get a new JWT and use the same for your attack.
Note 2: One may argue that why do we need different payloads. The public key is just a plain text public key. But in cryptography, even one bit of variation will produce a completely different result. We need to keep in mind things like line break in (Windows and Unix) and the certificate format like .pem and .der and hence we need different payloads.
References
1. Attacking-JWT-Authentication
2. JWT-Attack-Walk-Through
