Algorithm Confusion

Algorithm Confusion Attack: using an unexpected algorithm to sign the token.

Symmetric vs Asymmetric Algorithms

  • Symmetric algorithms use the same key to both sign and verify the token, whereas asymmetric algorithms use a key pair, i.e., a private key to sign the token and a public key to verify it.

  • Vulnerabilities arise due to flawed implementation of JWT libraries.

Process

  1. Obtain the server's public key.

    • This might be done through conventional endpoints such as /jwks.json or /well-known/jwks.json.

  2. Convert it to a suitable format.

    • The exposed keys (JWK format) must be identical with the server's keys.

  3. Create a malicious JWT with a modified payload and the alg set to HS256.

  4. Sign the token with HS256 using the public key as the secret.

LAB: Algorithm Confusion

Goal: Obtain the key via a standard endpoint, use it to sign a modified session token to access /admin and delete carlos. The server stores the key in a X.509 PEM file.

Deriving Public Keys from Existing Tokens

If no exposed public keys are available, we can derive one from a pair of existing JWTs using jwt_forgery.py.

# Simplified version of the above tool
docker run --rm -it portswigger/sig2n <token1> <token2>

The above command is using the provided token to calculate one or more potential n values. For each potential value, the script outputs:

  1. A base64-encoded PEM key in both X.509 and PKCS1 format.

  2. A forged JWT signed using each of these keys.

To identify the correct key we need to try both and see which is accepted by the server.

LAB: Algorithm Confusion With Forged Key

Goal: Obtain the key via a standard endpoint, use it to sign a modified session token to access /admin and delete carlos. The server stores the key in a X.509 PEM file.

$ docker run --rm -it portswigger/sig2n eyJ...<SNIP>jMQ  eyJ...<SNIP>...dQb
PreviousJWT Header Parameter InjectionsNextPrevention

Last updated