About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Authentication Bypass when using JWT w/ public keys- 690

Plokta - HackerOnePosted 4 Years Ago
  • JSON web tokens (JWTs) are a common way to create session tokens. They contain three main fields: header, data and a signature. The header is information about the token, the data is the important information about the user and the signature is a cryptographic algorithm to demonstrate that the JWT has not been tampered with.
  • JWTs can use both asymmetric and symmetric algorithms for the signature. The asymmetric version, such as RSA, is more commonly used because the public key can be used to verify the signature without knowing the public key. This makes it possible to be used on other sites besides the one that generated it!
  • The header is a base64 encoded JSON blob that contains several elements but only one that we are interested in: alg, which is short for algorithm for the signature. For instance, this could be set to RS256 for RSA or HS256 for HMAC.
  • So, if the user can specify the algorithm, which key is used? And this is where the vulnerability occurs at! If the algorithm set by the user is used without validation and the input is expecting an asymmetric encryption algorithm, problems occur.
  • With RSA, a public key is used in order to verify the signature. So, this would be the key used for the input. But, if we select a symmetric encryption algorithm, such as HMAC, this will be used as the secret key.
  • This is where the magic lies: the public key is public! By selecting a symmetric key algorithm, such as HMAC, we can sign the JWT with the public key. Since this is the input into the signature validator, it will blindly think that the RSA or asymmetric public key is the secret. Now, we can sign arbitrary objects!
  • This is the issue that happens in Jitsi, which is an open source product that is similar to Zoom. When looking around to the NodeJS jsonwebtoken for if this would be possible, it turns out that it is if the algorithm could be set. Otherwise, the algorithm is assumed based upon the content of the secret.
  • Interesting bug that probably exists in other places. JWTs are awesome but have many foot-guns inside of them.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed