Brute-forcing secret keys

Brute-forcing secret keys

Brute-forcing secret keys using hashcat

Hashcat

hashcat -a 0 -m 16500 <jwt> <wordlist>

Lab

Lab: JWT authentication bypass via weak signing key | Web Security AcademyWebSecAcademy

This lab uses a JWT-based mechanism for handling sessions. It uses an extremely weak secret key to both sign and verify tokens. This can be easily brute-forced using a wordlist of common secrets.

To solve the lab, first brute-force the website's secret key. Once you've obtained this, use it to sign a modified session token that gives you access to the admin panel at /admin, then delete the user carlos.

You can log in to your own account using the following credentials: wiener:peter

Steps

Getting the JWT Token

• Install JWT Editor extension in burp suite

• Visit the website and login using username as wiener and password as peter

• Capture and copy the JWT token

Brute force the jwt token using Hashcat and John

Creating and Signing tokens using the secret key

• Go to JWT Editor Tab

• Click on New Symmetric Key

• Select Specify secret option and enter the key as "secret1"

• Click on Generate button and click on Ok

• Now, visit the /admin route and send the request to repeater

• In the payload section change the sub value to administrator

• Click on Sign button and click on Ok

Delete the user Carlos

• Now copy the newly created token

• Visit https://0ac10073042c936880bd3575007e0084.web-security-academy.net/admin/delete?username=carlos

• Now in the proxy tab modify the jwt token to the new copied one and then forward the request

• $$$