Cracking JWTs: A Bug Bounty Hunting Guide [Part 6]
1 min read
Summary
This is the sixth in a series of articles on JWT (JSON Web Token) exploitation techniques as applied to bug bounty hunting.
The objective of this lab is to gain admin access and delete a user called Carlos by exploiting JWT authentication via algorithm confusion.
The application uses RSA (RS256) keys for signing, but the developer has blindly trusted the algorithm specified in the JWT header.
The attacker can change the algorithm specified in the header to HS256, which uses a symmetric key, and use the server’s public key as the secret key.
The attacker can then use the server’s public key to generate a token with admin privileges and delete the user Carlos.
To mitigate this, developers should enforce strict validation of the algorithm specified in the JWT header and should never trust client-supplied headers for cryptographic decisions.
Further, it is advised to disable support for multiple algorithms and use well-tested JWT libraries configured securely.