JWT Exploitation: How I Forged Tokens and Took Over Accounts
1 min read
Summary
An ethical hacker known as Abhijeet has detailed how he was able to gain unauthorised access to a bug bounty program by forging a JSON Web Token (JWT).
JWTs are commonly used to authenticate users without sending passwords and parameters via cookies or headers, and in this case Abhijeet targeted a misconfiguration that allowed him to take over an account.
He did this by changing the ‘exp’ (expiry) date in the token to a date in the past, which revokes the user’s privileges, akin to a logged-out state; and in another technique he mentions he was able to change the ‘iss’ claim (issuing party) to a different account, which changed his privileges to that account.
The vulnerabilities were discovered in a real-world bug bounty program and while Abhijeet details how these hacks were executed, the exact nature of the vulnerability has not been disclosed.
Many ethical hackers overlook JWT exploitation because of their apparent complexity, he said, which is often underestimated.