Cracking JWTs: A Bug Bounty Hunting Guide [Part 5]
1 min read
Summary
In the continued Cracking JWTs series, Aditya Bhatt looks at the JWT Authentication Bypass via kid (Key ID) header and path traversal.
The kid header is a critical part of a JWT, used as a hint to identify the key to use to verify the signature of the token.
In certain versions of the Java library, this kid value is used by the server to build a filesystem path and fetch the key.
If developers do not sanitise this value, an attacker can perform a path traversal attack and point the kid header to point to /dev/null, causing the server to fetch an empty file as the key, thereby bypassing authentication.
In the provided PortSwigger lab, this authentication bypass leads to full admin access, allowing the attacker to delete user accounts.
The null byte and path traversal together provide a sneaky and lethal way to gain unauthorised access to systems.