Algorithm Confusion
Algorithm Confusion Attack: using an unexpected algorithm to sign the token.
Symmetric vs Asymmetric Algorithms
Symmetric algorithms use the same key to both sign and verify the token, whereas asymmetric algorithms use a key pair, i.e., a private key to sign the token and a public key to verify it.
Vulnerabilities arise due to flawed implementation of JWT libraries.
Process
Obtain the server's public key.
This might be done through conventional endpoints such as
/jwks.json
or/well-known/jwks.json
.
Convert it to a suitable format.
The exposed keys (JWK format) must be identical with the server's keys.
Create a malicious JWT with a modified payload and the
alg
set toHS256
.Sign the token with
HS256
using the public key as the secret.
LAB: Algorithm Confusion
Goal: Obtain the key via a standard endpoint, use it to sign a modified session token to access
/admin
and deletecarlos
. The server stores the key in aX.509
PEM file.


Deriving Public Keys from Existing Tokens
If no exposed public keys are available, we can derive one from a pair of existing JWTs using jwt_forgery.py
.
# Simplified version of the above tool
docker run --rm -it portswigger/sig2n <token1> <token2>
The above command is using the provided token to calculate one or more potential n
values. For each potential value, the script outputs:
A base64-encoded PEM key in both
X.509
andPKCS1
format.A forged JWT signed using each of these keys.
To identify the correct key we need to try both and see which is accepted by the server.
LAB: Algorithm Confusion With Forged Key
Goal: Obtain the key via a standard endpoint, use it to sign a modified session token to access
/admin
and deletecarlos
. The server stores the key in aX.509
PEM file.

$ docker run --rm -it portswigger/sig2n eyJ...<SNIP>jMQ eyJ...<SNIP>...dQb



Last updated