About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Eye for an eye: Unusual single click JWT token takeover- 612

Yurii SaninPosted 4 Years Ago
  • Jetbrains Datalore is a data exploration tool that can be built into Jetbrains, as an alternative to Jupyter.
  • While toying around with one of the authentication endpoints, the author found an open redirect vulnerability. By itself an open redirect vulnerability is not very impactful. However, if this can be chained with other bugs in the auth process, it becomes a big deal.
  • The endpoint that initiates the redirect to datalore (which has the JWT token) had a parameter that only had to be a subdomain of the Jetbrains URL. Remember the open redirect? It could now be useful!
  • When doing the first redirect, the JWT is added onto the location (straight appended). At this point, the redirect with the victim JWT goes to the endpoint with our open redirect.
  • Since the JWT is appended to the URL, we can append it to the URL with the open redirect, to eventually get it back. The name of the article is this way because the URL with the open redirect MUST have a valid JWT. To satisfy this condition, they pass in their own JWT.
  • Overall, the chaining of bugs is interesting! Parsing strings is hard to do and open redirects may be the starting of something huge!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed