In this post we will walk step by step through how to solve JWT authentication bypass via unverified signature on PortSwigger. This lab’s difficulty is Apprentice and it is the first lab on JSON web tokens on Portswigger.

Link to lab: https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-unverified-signature

To start the lab click the ‘Access the Lab’ button.

As we begin the lab we encounter a blog showcasing different posts. It’s worth noting that the posts may differ from the screenshot as PortSwigger Labs can vary the content with each lab session. So, don’t worry if your products look different.

Using the credentials provided to us (wiener:peter) we can authenticate into the application and view our account information.

If you do not have the JWT Editor extension installed, you will need to do so under the Extensions tab. At the time of writing this post the JWT Editor extension can be used for Burp Suite Community Edition and Pro Edition.

Navigating back to the Proxy tab we should see green highlighted Request. This is JWT Editor letting us know a JWT is in this HTTP Request.

Sending the my-account?id=wiener Request to Repeater will allow us to tamper with the JWT by clicking on the JSON Web Token tab.

From top to bottom we have the JWS Header, Payload, and Signature.

Our goal for this lab is to get administrative access to the /admin panel. Let’s simply update the “sub” from wiener to administrator in the payload and see if this allows us to bypass authentication due to not verifying the signature of the JWT.

After updating the “sub” claim to administrator we can try and access /admin.

Here we can see we have access to the /admin panel and can delete the users due to the server not verifying the signature of the JWT we provided.

It appears we can delete the user Carlos and solve the lab by navigating to /admin/delete?username=carlos with our updated JWT.

After deleting the user Carlos with our updated JWT we have successfully solved the lab!

That completes the lab! Well done! If you found this helpful, please send me a tweet and tell me what you thought! Feedback is always appreciated!

Jarrod