Exercise 54: Weakness in Token-Based Authentication

Objective

Learn how to exploit Weaknesses in Token-Based Authentication mechanisms, such as JWT (JSON Web Token) or session tokens, to bypass authentication or hijack user sessions. Understand how to secure token-based systems using proper signing algorithms, token expiration, and secure token storage.

---

Scenario

You are testing a web application that uses JWT for user authentication. Due to improper configuration, the tokens can be manipulated to escalate privileges or hijack sessions.

---

Lab Setup

Prerequisites:

• Basic knowledge of PHP and JWT.
• XAMPP/LAMP/WAMP stack installed (or any web server with PHP support).
• Burp Suite or browser developer tools for intercepting tokens.

Step 1: Create the Vulnerable Web Application

1. Install JWT Library (Firebase PHP-JWT)
   • Install JWT library using Composer: composer require firebase/php-jwt
2. PHP Script for Authentication with Weak JWT
   • Create a file login.php: <?php require 'vendor/autoload.php'; use Firebase\JWT\JWT; $secret_key = 'weaksecret'; $issued_at = time(); $expiration_time = $issued_at + (60 * 60); // 1 hour expiration if (isset($_POST['username'])) { $payload = [ 'username' => $_POST['username'], 'role' => 'user', 'iat' => $issued_at, 'exp' => $expiration_time ]; $jwt = JWT::encode($payload, $secret_key); echo "<h2>Your Token:</h2><p>$jwt</p>"; } ?> <h2>Login</h2> <form method="POST" action=""> Username: <input type="text" name="username" required> <button type="submit">Get Token</button> </form>
3. Protected Admin Page (admin.php)
   • Create a file admin.php: <?php require 'vendor/autoload.php'; use Firebase\JWT\JWT; $secret_key = 'weaksecret'; if (isset($_GET['token'])) { try { $decoded = JWT::decode($_GET['token'], $secret_key, ['HS256']); if ($decoded->role === 'admin') { echo "<h2>Welcome, Admin!</h2>"; } else { echo "<h2>Access Denied: User Role</h2>"; } } catch (Exception $e) { echo "<h2>Invalid Token</h2>"; } } else { echo "<h2>No Token Provided.</h2>"; } ?>

---

Exploitation Steps

Step 1: Logging In and Obtaining the JWT

1. Open http://localhost/login.php.
2. Enter any username (e.g., user) and retrieve the generated JWT.

Step 2: Decoding and Modifying the JWT

1. Decode the JWT using jwt.io or a local script.
2. Modify the payload: { "username": "user", "role": "admin", "iat": 1234567890, "exp": 9999999999 }
3. Sign the token using the weak secret weaksecret.

Step 3: Accessing the Admin Page

1. Visit: http://localhost/admin.php?token=<modified_jwt>

Expected Result:

• The attacker gains admin access and sees: Welcome, Admin!

---

Solution and Prevention

Problem Analysis

• The JWT is signed with a weak secret and uses a predictable algorithm, making it vulnerable to manipulation.

Fixing the Vulnerability

1. Use Strong, Random Secret Keys
   • Replace the weak secret with a strong one: $secret_key = bin2hex(random_bytes(32));
2. Implement Secure Algorithms (HS512 or RS256)
   • Use stronger signing algorithms: $jwt = JWT::encode($payload, $secret_key, 'HS512');
3. Enforce Short Token Expiration
   • Reduce the token lifetime to minimize risk: $expiration_time = $issued_at + (10 * 60); // 10 minutes
4. Implement Token Rotation and Revocation
   • Use rotating tokens and blacklists to invalidate old tokens.
5. Verify Token Integrity
   • Check token structure and signature carefully.

---

Testing After Fix

1. Generate a token and attempt to modify it.
2. Expected Result:
   • The server rejects the modified token.
3. Attempt expired or revoked tokens.
4. Expected Result:
   • The server denies access.

---

Conclusion

In this lab, you exploited weaknesses in Token-Based Authentication by manipulating JWTs to escalate privileges. You also learned how to mitigate these vulnerabilities by using secure algorithms, strong secrets, token rotation, and expiration policies.