Attacking JWT’s with a Custom SQLmap Tamper Script

Introduction
If you’ve ever watched a movie or TV show that involves computer “hacking”, you’ll recognize these scenes. Someone wearing a hoody (of course) hunched over six monitors of scrolling text, frantically typing and instantly programming some complex code to break past a firewall. My favourite (facepalming) scene had two “hackers” tag-team typing on a keyboard in order to type fast enough to defeat the bad guys. Apparently, it’s just that easy to hack in to the Department of Defense. The caricature is fun. I honestly don’t know what most people actually think about these scenes, but I find them hilarious.
I’m not a computer gamer, but you could say hacking is a game I enjoy. Don’t get me wrong. There are ethics to follow. In the world of computer security, hackers are recognized by the “hat” they wear. Black Hat hackers are the nefarious ones looking for opportunities to exploit a weakness in your infrastructure. On the other side are White Hat ethical Hackers (like myself) who learn the craft of hacking in order to understand where the Black Hats will seek to attack. It gives me insight into what I can recommend for our clients to fix or improve in their infrastructure or code and not get hacked by the Black Hats.
There are a number of challenges on the Internet called “Capture the Flag” where I put my skills against the challenge to see if I can hack my way into a website or computer and prove it by finding the hidden Flag. This article is an example of a challenge that I recently completed. I won’t name which one, because there are no solution write-ups currently out there for it. I don’t want to spoil it for anyone else 🙂
The Challenge
Challenge: Straightforward. Break in to the website and find the flag. All I’m given is an IP and port number.
How? We’re not told. There’s no hint to what the vulnerability might be.
Where’s the Flag? I don’t know. In many of these types of challenges there are two flags: a regular user flag and a system administrator or root flag. These are usually files on the system.
Over the next few posts, I’ll be walking through the steps I took to complete this challenge. It wasn’t a particularly difficult challenge, but it demonstrates the process that a dedicated hacker will take to gain access as well. I also want to show where I see things went wrong in the sites security. JWT stands for JSON Web Tokens and they are used as a self-contained way to securely transmit information. In this CTF challenge they ended up being the primary hole in the site. These will be a technical series of posts and I’ll end up demonstrating how to construct custom tamper scripts for sqlmap. Stay tuned.