This exercise covers how to use the x5u header to bypass an authentication based on JWT.

1-2 Hrs.
Green Badge


In this exercise, we explore the `x5u` header in JWT tokens and demonstrate how an attacker can manipulate this header to forge a token and gain unauthorized access as an admin. The `x5u` header allows linking to a certificate, but applications should not trust this URL blindly, as it can be exploited by providing a malicious link. We draw parallels to the CVE-2018-0114 vulnerability and explain how to leverage the absence of a trailing slash in the restricted URL list to bypass security checks.

The practical aspect involves creating a private and public key, generating a matching JWK file, and crafting a JWT with a manipulated header pointing to an attacker-controlled server. We also discuss potential pitfalls such as caching issues and the need to align the signing algorithm with the token's header. By the end of the exercise, you will understand how to exploit the `x5u` header to bypass signature mechanisms and gain unauthorized access.

Want to learn more? Get started with PentesterLab Pro! GO PRO