Today I wanna share something related JSON Web Tokens (JWT).
In this writeup, I’ll tell you how I was able to confirm emails without confirmation tokens, reset password as well as taking over company emails.
So let’s start.
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
In its compact form, JSON Web Tokens consist of three parts separated by dots (.
), which are:
Therefore, a JWT typically looks like the following.
xxxxx.yyyyy.zzzzz
Now let’s come back to the writeup.
Here I was able to confirm emails without confirmation token by abusing invite functionality and changing JWT token.
Suppose attacker@attacker.com email is mine, I invited myself in the users and got the confirmation token in my inbox.
The response in burp was something like:
the token was something like:
Decoding the JWT token:
Now I invited admin@company.com, the response in Burp was:
Now what I did here was changing the JSON web token that I received in my inbox.
I changed the email from attacker@attacker.com to admin@company.com, attacker ID to admin ID and changed the timestamp to the issued timestamp as you can see in the response “created date”:”xxxxxxxx”. (Sometimes server verifies issued timestamp in order to validate the token.) I was able to confirm the user and set the password of the admin@company.com.
We can use these credentials to log in to companies’ different SSO integrations like support panels etc..
This method was a bit tricky. However, I was able to reset the password of my organization users as I was able to see, their ID’s through the users’ tab and physical access of the browser history.
Now I requested a password reset link using my email attacker@attacker.com and reset link was:
Upon changing my ID to targeted user ID I was able to change the password.
The web app was not validating the calculated signature, thus I was able to re-encode the JWT.
For more understanding, you can have a look at:
https://jwt.io/introduction/
https://hackerone.com/reports/638635
That’s all folks!
Thanks for reading and don’t forget to share your thoughts on it.
Also, Have a look at https://blog.securitybreached.org/2020/03/17/getting-started-in-android-apps-pentesting/
can you explain more on this : changed the timestamp to current timestamp
Current timestamp means current time relative to what?
Hi, Actually I wrote that wrong, you can check again. Thanks!
What about signature? Is the server not verifying it? As it’s changed in the admin@company.com JWT.
Yes! The server was not validating the signature, In most cases that I’ve seen server doesn’t properly validate signatures, that’s how I was able to re-encode JWT.
Change time stamp to ? Can you explain. Do you mean the timestamp at which you requested for admin’s account. And how did you got the exact timestamp through fuzzing or brute-forcing?
[…] *参考来源:securitybreached […]
[…] Playing with JSON Web Tokens for Fun and Profitground-control https://github.com/jobertabma/ground-control ssrfDetector https://github.com/JacobReynolds/ssrfDetector LFISuit https://github.com/D35m0nd142/LFISuite GitTools https://github.com/internetwache/GitTools dvcs-ripper https://github.com/kost/dvcs-ripper tko-subs https://github.com/anshumanbh/tko-subs HostileSubBruteforcer https://github.com/nahamsec/HostileSubBruteforcer Race the Web https://github.com/insp3ctre/race-the-web ysoserial https://github.com/GoSecure/ysoserial PHPGGC https://github.com/ambionics/phpggc CORStest https://github.com/RUB-NDS/CORStest retire-js https://github.com/RetireJS/retire.js getsploit https://github.com/vulnersCom/getsploit Findsploit https://github.com/1N3/Findsploit bfac https://github.com/mazen160/bfac WPScan https://wpscan.org/ CMSMap https://github.com/Dionach/CMSmapAmass https://github.com/OWASP/AmassAny Import Tool Missing Add in comments… […]