Playing with JSON Web Tokens for Fun and Profit

Hey Everyone, I hope you all are fine and doing well.

Today I wanna share something related JSON Web Tokens (JWT).

In this writeup, I’ll tell you how I was able to confirm emails without confirmation tokens, reset password as well as taking over company emails.

So let’s start.

What is JSON Web Token?

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

What is the JSON Web Token structure?

In its compact form, JSON Web Tokens consist of three parts separated by dots (.), which are:

• Header
• Payload
• Signature

Therefore, a JWT typically looks like the following.

xxxxx.yyyyy.zzzzz

Now let’s come back to the writeup.

Confirming emails without confirmation token:

Here I was able to confirm emails without confirmation token by abusing invite functionality and changing JWT token.

Suppose [email protected] email is mine, I invited myself in the users and got the confirmation token in my inbox.

The response in burp was something like:

the token was something like:

Decoding the JWT token:

Now I invited [email protected], the response in Burp was:

Now what I did here was changing the JSON web token that I received in my inbox.

I changed the email from [email protected] to [email protected], attacker ID to admin ID and changed the timestamp to the issued timestamp as you can see in the response “created date”:”xxxxxxxx”. (Sometimes server verifies issued timestamp in order to validate the token.) I was able to confirm the user and set the password of the [email protected].

We can use these credentials to log in to companies’ different SSO integrations like support panels etc..

Resetting Passwords of other users:

This method was a bit tricky. However, I was able to reset the password of my organization users as I was able to see, their ID’s through the users’ tab and physical access of the browser history.

Now I requested a password reset link using my email [email protected] and reset link was:

Upon changing my ID to targeted user ID I was able to change the password.

The web app was not validating the calculated signature, thus I was able to re-encode the JWT.

For more understanding, you can have a look at:

https://jwt.io/introduction/

https://hackerone.com/reports/638635

That’s all folks!

Thanks for reading and don’t forget to share your thoughts on it.

Also, Have a look at https://blog.securitybreached.org/2020/03/17/getting-started-in-android-apps-pentesting/