JWT Forgery
Now that the symmetric JWT secret key has been revealed, it is entirely possible to tamper/forge the existing JWT
This is the initial JWT that I have received to temporarily view both posts and categories API endpoints.
Notice the ["Posts_Get_All", "Categories_Get_All"] values, and the aud parameter set to http://api.blazorized.htb
Tampering
The above is the tampered JWT to access the admin page at admin.blazorized.htb
Super_Adminpermission is setaudparameter has been altered tohttp://admin.blazorized.htbexpis in Unix time format, and I altered it to last until year 2033- The symmetric JWT secret key is also provided for signing
Now I just need to grab the tampered JWT, and load the admin page with it.
The only problem is that the http://admin.blazorized.htb generates so many request that it is near impossible to make a request through Burp Suite
So I opted out to storing the JWT in the local stsorage
This is absolutely required step due to the nature of Blazor application
According to the author,
“if the local storage contains a jwt, I know that the user is authenticated
so an event gets fired and changes the authentication state”
“it does not take the JWT and use it as you would for a normal front end
the authentication state gets saved on the backend
and while the JWT is valid, the user is authenticated”
Upon refreshing the page, the login page is effectively bypassed and I am redirected to the /home endpoint
I will continue enumerating the admin page