Cracking JWTs: A Bug Bounty Hunting Guide [Part 4]
1 min read
Summary
In the fourth part of the Cracking JWTs bug bounty hunting guide, the focus is on a dangerous misconfiguration regarding JWT authentication via the jku (JWK set URL) header.
The vulnerability entails the attacker hosting a public key and gaining access to the server, which subsequently verifies the forged token.
The simplest way to gain such access is to alter the kid (key ID) header so that it corresponds with the attacker-hosted key.
The attacker can then use privileged administrator access to, for example, delete user accounts.
This type of authentication bypass, where simply pointing the server to a malicious JWK set gives an attacker unlimited access, could be catastrophic in a real application.
The post includes a step-by-step guide to exploiting the vulnerability in the PortSwigger lab, as well as recommended mitigation strategies, such as domain whitelisting, and recommendations for strict library settings.