Skip to content

Lab 09 Using Components With Known Vulnerabilities

Jump to bottom
Tomas Rosenqvist edited this page Nov 8, 2018 · 8 revisions

Using Components With Known Vulnerabilities

After you've logged in to the Juice Shop, it uses Json Web Tokens (JWTs) to authenticate any subsequent requests. The tokens consist of 3 separate parts. First is the header describing the token. After the header, the payload part typically contains a unique identifier for your session, along with various other information that pertains to you as a user of the site, but isn't secret. The last part may contain a cryptographic signature, created by the issuer (in this case, the juice shop). Ideally, when a system utilizes JWTs it should inspect the signature and completely disregard any tokens without a valid signature (from a trusted party). The sections are Base64Url-encoded, and separated by punctuation characters (.), so the structure is <header>.<payload>.<signature>.

Let's test how the Juice Shop deals with JWTs.

Challenge "Forge an essentially unsigned JWT token"

Inspect an authentic JWT

  1. You'll need 3 browser windows open simultaneously for this lab.
  2. Log in to the Juice Shop as any user.
  3. Use the developer tools of your web browser to check for any cookies used by the site.
  4. Notice there's a cookie named token. Copy the value of it.
  5. Go to jwt.io and paste the token into the left-hand side. Notice how the contents of the token appear in the right hand side, and an indicator saying that the token signature was validated successfully. Great! But will the site still accept a token with an invalid signature? Let's find out.

Create a JWT header without signature

  1. Go to base64encode.org and create a header that indicates that the JWT contains no signature by entering
{
  "alg": "none"
}
  1. Copy the resulting Base64-encoded text into a new text file.
  2. Enter a single dot/punctuation character (.) after the text, indicating that the JWT payload part begins.

Create the forged JWT payload

  1. From the decoded token in jwt.io, copy the payload into base64encode.org.
  2. Change the email address to jwtn3d@juice-sh.op and the id to a different integer.
  3. Copy the resulting Base64-encoded text and insert it after the dot in your text file.
  4. Add a new dot after the text, indicating that the JWT signature part begins (but leave it empty).
  5. You now have a complete (but unsigned) JWT. Since it is unsigned, it should end immediately after the 2nd punctuation mark (.).

Use the forged JWT to authenticate to the site

  1. In the developer tools for the Juice Shop, replace the value of the token cookie with your forged JWT token
  2. Reload the page.
  3. Check if you have access to content that requires an authenticated user (e.g. by adding an item to the cart).

Questions

  • What is the risk to the Juice Shop in this scenario?
  • What is the risk to a general Web app in this type of scenario?

Recommended reading

Clone this wiki locally