Playing with JSON Web Tokens for Fun and Profit
Hey Everyone, I hope you all are fine and doing well.
Today I wanna share something related JSON Web Tokens (JWT).
In this writeup, I’ll tell you how I was able to confirm emails without confirmation tokens, reset password as well as taking over company emails.
So let’s start.
What is JSON Web Token?
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
What is the JSON Web Token structure?
In its compact form, JSON Web Tokens consist of three parts separated by dots (.), which are:
- Header
- Payload
- Signature
Therefore, a JWT typically looks like the following.
xxxxx.yyyyy.zzzzz
Now let’s come back to the writeup.
Confirming emails without confirmation token:
Here I was able to confirm emails without confirmation token by abusing invite functionality and changing JWT token.
Suppose attacker@attacker.com email is mine, I invited myself in the users and got the confirmation token in my inbox.
The response in burp was something like:
the token was something like:
Decoding the JWT token:
Now I invited admin@company.com, the response in Burp was:
Now what I did here was changing the JSON web token that I received in my inbox.
I changed the email from attacker@attacker.com to admin@company.com, attacker ID to admin ID and changed the timestamp to the issued timestamp as you can see in the response “created date”:”xxxxxxxx”. (Sometimes server verifies issued timestamp in order to validate the token.) I was able to confirm the user and set the password of the admin@company.com.
We can use these credentials to log in to companies’ different SSO integrations like support panels etc..
Resetting Passwords of other users:
This method was a bit tricky. However, I was able to reset the password of my organization users as I was able to see, their ID’s through the users’ tab and physical access of the browser history.
Now I requested a password reset link using my email attacker@attacker.com and reset link was:
Upon changing my ID to targeted user ID I was able to change the password.
The web app was not validating the calculated signature, thus I was able to re-encode the JWT.
For more understanding, you can have a look at:
https://jwt.io/introduction/
https://hackerone.com/reports/638635
That’s all folks!
Thanks for reading and don’t forget to share your thoughts on it.
Also, Have a look at https://blog.securitybreached.org/2020/03/17/getting-started-in-android-apps-pentesting/
About the Author
Muhammad Qasim Munir
Information Security Researcher | Ethical Hacker
can you explain more on this : changed the timestamp to current timestamp
Current timestamp means current time relative to what?
Hi, Actually I wrote that wrong, you can check again. Thanks!
What about signature? Is the server not verifying it? As it’s changed in the admin@company.com JWT.
Yes! The server was not validating the signature, In most cases that I’ve seen server doesn’t properly validate signatures, that’s how I was able to re-encode JWT.
Change time stamp to ? Can you explain. Do you mean the timestamp at which you requested for admin’s account. And how did you got the exact timestamp through fuzzing or brute-forcing?