[Web] JAuth (300 pts)
Question
Most web application developers use third-party components without testing their security. Some of the past affected companies are:
Equifax (a US credit bureau organization) - breach due to unpatched Apache Struts web framework CVE-2017-5638
Mossack Fonesca (Panama Papers law firm) breach - unpatched version of Drupal CMS used
VerticalScope (internet media company) - outdated version of vBulletin forum software used
Can you identify the components and exploit the vulnerable one? The website is running
The website is running here. Can you become an admin
?
You can login as test
with the password Test123!
to get started.
Hint
Use the web browser tools to check out the JWT cookie.
The JWT should always have two (2) .
separators.
Solution
The challenge gave us a login page. After login in, nothing interesting on the page, then I checked the login request to see what was going on. After login, I’ve got a user token, let’s go to jwt and decode it. The notable field here is the role, I got the role of user, so what if we change it to admin?
I’ve tried to change the role to admin and tried again with a new token, but I failed.
Hmm, wait, I could see that the token uses HS256 algorithms, and maybe it could lead to jwt none algorithm vulnerability. I generated my new own token and change 2 values alg=none
and role=admin
After got a new token, I sent the request with the new token, luckily, this time I was right, then I got the flag
Flag
Last updated