webPromedium

Moment s JWT (JWT Moment)

hackerlab

Task: bypass JWT authentication on a FastAPI application to gain admin access. Solution: exploit JWT algorithm confusion (CVE-2016-10555) by switching from RS256 to HS256 and signing with the public key, which the server uses as the HMAC secret.

$ ls tags/ techniques/

jwt fastapi authentication_bypass python token_forgery hs256 algorithm_confusion rs256 cve_2016_10555 pyjwt public_key_as_secret

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Разминка с JWT (JWT Warmup)— hackerlab
[web][Pro]rigidType— hackerlab
[web][Pro]Лысина админа (Admin's Bald Head)— duckerz
[web][Pro]Lab 354 — VaultAPI — JWT Authentication Bypass via JWE-Wrapped PlainJWT— hackadvisor
[web][Pro]UUIDY— duckerz