WebGoat JWT tokens 4
By fiddling around with the webapp I gather that the Guest user is not allowed to vote, the other three users can vote
Plus there is a reset vote button that, if pressed, it will tell us that it is a function available only to admins
So let’s see what happens between browser and server
If you need to brush up a bit about JWTs, I recommend to go to https://jwt.io/introduction/
When logging in from Guest user to Tom, a JWT access token cookie is sent in the response
When “Reset votes” is pressed, the browser sends the a POST request to the /WebGoat/JWT/votings endpoint and adds the JWT previously given in the request identifying the users as Tom thus the reset votes function does not execute
Let’s copy the JWT token to Burp Decoder in order to decode it from base64 by selecting each separate JWT sections and decoding them accordingly.
In the screenshot, you can see the payload section of the JWT ending in a strange way
This happens because base64 has “=” or “==” as padding at the end on an encoded string, so by adding the padding at the end of the payload the closing curly braces appears as expected
Change the header and payload values as shown here
{"alg":"None"}.{"iat":1600794387,"admin":"true","user":"Tom"}- alg -> None: No signature algorithm is present
- admin -> true: the user requesting the action is an admin
This is referred online as a “JWT none attack”
Basically this means setting the algorithm for signing the JWT to “No algorithm”, if the underlying webapp or its parser allows “None” to be set as algorithm, the JWT token will be valid and no signature will be required
Revert the clear text values to its Base64 JWT format by using Burp Decoder
Get the request on Burp Repeater and substitute the “access_token” header value with the new one, but no luck, the token is not valid
Get rid of the equal signs from the base64 encoding, add a “.” to delimit the end of the JWT payload section and no signature section at all, and the lesson is completed
WebGoat JWT tokens 5
This lesson is about cracking a JWT token, first of all save the given token to a file
Then run HashCat against it — https://hashcat.net/
This is the command I have used
hashcat token.txt -m 16500 -a 3 -w 3 /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txtThe command will leverage the power of HashCat to try to crack or brute force the JWT token, in the above command I am passing HashCat:
token.txt -> the token itself-m 16500 -> specifies the hash type as a JWT token-a 3 -> specifies brute forcing-w 3 -> specifies a high workload, the machine running HashCat might become unresponsive/usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -> this is a medium sized wordlist from SecLists — https://github.com/danielmiessler/SecLists
Then it is possible to use https://jwt.io/ to decode the original JWT token and, now that the key is known, craft a new token
Paste the original token in the left pane and get the decoded values on the right, then change the username to WebGoat
Personally, just to be on the safe side, I changed the “sub”, “username” and “email” values
Remember to change the expiration value as well, since the original token could be expired by the time the hash has been cracked, I just put “1601968004” instead of “1600968004”
Copy the resulting JWT token to WebGoat and complete the lesson
This concludes WebGoat JWT token 4 5
I hope you liked it.
PVXs — https://twitter.com/pivixih
