JSON Web Token Exploitation for Red Team

Brief explanation for JWT (JSON Web Token)

How JWT is built?

Exploiting the JWT. How hard can it get?

1. SQL Injection

Username query is vulnerable to SQLi
The red rectangle is the session JWT that we got
Decoded JWT
SQLi Payload added to the name parameter, replacing our username
Replaced JWT and the SQLi Payload execution

1.2 SQLi with KID

2. Local File Inclusion

3. Command Execution

4. HS/RSA Key Confusion and Public Key Leaked

4.1 Detecting the vulnerability

Request captured and the value of “session=” is the JWT
Decoded JWT, Public Key is leaked into “pk” parameter

4.2 Creating our JWT Public Key

4.3 Using jwk_tool.py

4.4 It is time for creativity

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store