April 4, 2020
Share

Playing with JSON Web Tokens for Fun and Profit

by
JSON web tokens | security breached
Hey Everyone, I hope you all are fine and doing well.

Today I wanna share something related JSON Web Tokens (JWT).

In this writeup, I’ll tell you how I was able to confirm emails without confirmation tokens, reset password as well as taking over company emails.

So let’s start.

What is JSON Web Token?

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

What is the JSON Web Token structure?

In its compact form, JSON Web Tokens consist of three parts separated by dots (.), which are:

  • Header
  • Payload
  • Signature

Therefore, a JWT typically looks like the following.

xxxxx.yyyyy.zzzzz

Now let’s come back to the writeup.

Confirming emails without confirmation token:

Here I was able to confirm emails without confirmation token by abusing invite functionality and changing JWT token.

Suppose [email protected] email is mine, I invited myself in the users and got the confirmation token in my inbox.

The response in burp was something like:

the token was something like:

Decoding the JWT token:

JSON web tokens | security breached

Now I invited [email protected], the response in Burp was:

Now what I did here was changing the JSON web token that I received in my inbox.

I changed the email from [email protected] to [email protected], attacker ID to admin ID and changed the timestamp to the issued timestamp as you can see in the response “created date”:”xxxxxxxx”. (Sometimes server verifies issued timestamp in order to validate the token.) I was able to confirm the user and set the password of the [email protected].

JSON web tokens | security breached

We can use these credentials to log in to companies’ different SSO integrations like support panels etc..

Resetting Passwords of other users:

This method was a bit tricky. However, I was able to reset the password of my organization users as I was able to see, their ID’s through the users’ tab and physical access of the browser history.

Now I requested a password reset link using my email [email protected] and reset link was:

Upon changing my ID to targeted user ID I was able to change the password.

JSON web tokens | security breached

The web app was not validating the calculated signature, thus I was able to re-encode the JWT.

For more understanding, you can have a look at:

https://jwt.io/introduction/

https://hackerone.com/reports/638635

That’s all folks!

Thanks for reading and don’t forget to share your thoughts on it.

Also, Have a look at https://blog.securitybreached.org/2020/03/17/getting-started-in-android-apps-pentesting/

Discover more from Security Breached Blog

Subscribe to get the latest posts sent to your email.

Muhammad Qasim Munir

Information Security Analyst | Ethical Hacker

7 replies on “Playing with JSON Web Tokens for Fun and Profit”

  • […] Playing with JSON Web Tokens for Fun and Profitground-control https://github.com/jobertabma/ground-control ssrfDetector https://github.com/JacobReynolds/ssrfDetector LFISuit https://github.com/D35m0nd142/LFISuite GitTools https://github.com/internetwache/GitTools dvcs-ripper https://github.com/kost/dvcs-ripper tko-subs https://github.com/anshumanbh/tko-subs HostileSubBruteforcer https://github.com/nahamsec/HostileSubBruteforcer Race the Web https://github.com/insp3ctre/race-the-web ysoserial https://github.com/GoSecure/ysoserial PHPGGC https://github.com/ambionics/phpggc CORStest https://github.com/RUB-NDS/CORStest retire-js https://github.com/RetireJS/retire.js getsploit https://github.com/vulnersCom/getsploit Findsploit https://github.com/1N3/Findsploit bfac https://github.com/mazen160/bfac WPScan https://wpscan.org/ CMSMap https://github.com/Dionach/CMSmapAmass https://github.com/OWASP/AmassAny Import Tool Missing Add in comments… […]

    Reply

  • Change time stamp to ? Can you explain. Do you mean the timestamp at which you requested for admin’s account. And how did you got the exact timestamp through fuzzing or brute-forcing?

    Reply

    • Yes! The server was not validating the signature, In most cases that I’ve seen server doesn’t properly validate signatures, that’s how I was able to re-encode JWT.

      Reply

  • can you explain more on this : changed the timestamp to current timestamp

    Current timestamp means current time relative to what?

    Reply

    • Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    You may also like

    October 10, 2017
    by

    Bugcrowd’s Domain & Subdomain Takeover vulnerability!

    Hey, I decided to Write about this Issue because I have seen some people are still confused about “Fastly error: unknown domain” Many Subdomains of BugBounty programs have This error...

    September 7, 2018
    by

    RCE Unsecure Jenkins Instance | Bug Bounty POC

    Hi Guys, Honestly i was just getting bored and the blog wasn’t updated ina while so i decided to write this  (Will share some more recent issues in a few...