Vulnerable JSON Web Tokens: From JWT Attack to Account take over!

Introduction

While conducting vulnerability research on a private program, which I’ll refer to as «Redacted» for confidentiality reasons, I discovered several intriguing security flaws. These included broken access controls and a vulnerable JSON Web Token (JWT) implementation. This chain of vulnerabilities allowed me to orchestrate a «0-click account takeover» and gain access to private information belonging to millions of users, as well as sensitive data.

Identification

Applications nowadays use tokens to communicate with their services and manage sessions, request resources, etc. In this case, the application Redacted used JWT as a means of session management in its API. Typically, the way to obtain a valid token is by generating one through some form of authentication or similar means. However, in this specific case, we were able to obtain a JWT through valid authentication. The utilized flow was as follows:

At this point, we managed to obtain a valid token like the following:

Request :

Response

access_token : A short-lived token used to authenticate a user and grant access to specific resources within a computer system. Typically, it contains information about the authenticated user and associated permissions, and is used in each service or resource request to demonstrate the user’s authorization.

refresh_token : A long-lived token used to obtain a new access token when the current one expires. Unlike the access token, the refresh token is kept on the client and is not sent with every service request. It is typically used to keep the session active without requiring the user to re-authenticate each time the access token expires.

Common JWT vulnerabilities :

  • None Algorithm: Configuration where the JWT token is not signed, allowing attackers to modify the token’s content without detection.
  • Brute Force Attacks: Repeated attempts to guess the JWT token contents or signing keys.
  • Token Replay: Reusing a previously issued JWT token to access resources or perform actions for which authorization should no longer be granted.
  • Token Expiration Bypass: Using a JWT token after its expiration period has passed.
  • Data Injection: Manipulating the data contained within the JWT token to escalate privileges or access unauthorized resources.

Once we obtained a valid JWT, we could conduct tests or even use a tool called JWT_TOOL to audit the JWT’s security. After conducting thorough tests, the previous token showed no signs of vulnerability.

but why are you talking about JWT vulnerabilities?…..

The vulnerability

Although the token generated in the authentication flow was not vulnerable, upon understanding the application’s functionality and business logic, it had a feature that allowed account sharing with third parties, which is common in applications where additional authentication is not required.

To enable the account sharing feature, it first needed to be activated within an administrative panel. At this point, I identified an endpoint, /api/v2/accounts/share/redacted, where, for some reason, the response to the request was another JWT token. This facilitated the exchange of information.

Request :

Response :

New token :

Once I identified the newly generated JWT, I proceeded to conduct further tests and attempted to attack the JWT. Before doing so, I questioned the following:

  • Can the new JWT make requests to other endpoints?
  • If it’s vulnerable, to what extent do I have access?
  • Can this token generate more tokens?

The Impact

Accessing personal data

Account take over (ATO)

Reset password functionalitty

By:

Posted in:


Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *