https://blog.rodolpheg.xyz/fr/tags/jwt/Recent content in JWT on RORO's blogHugofrcontact@rodolpheg.xyz (0xRo)contact@rodolpheg.xyz (0xRo)Sun, 21 Sep 2025 00:00:00 +0000https://blog.rodolpheg.xyz/fr/posts/halcrypto/Sun, 21 Sep 2025 00:00:00 +0000contact@rodolpheg.xyz (0xRo)https://blog.rodolpheg.xyz/fr/posts/halcrypto/<h2 id="synthese">Synthese</h2> <ul> <li><strong>Challenge</strong> : HalCrypto</li> <li><strong>Categorie</strong> : Securite Web</li> <li><strong>Vulnerabilite</strong> : Contournement de la validation JWT via confusion d&rsquo;URL avec le symbole @</li> <li><strong>Impact</strong> : Contournement de l&rsquo;authentification menant a un acces administrateur</li> <li><strong>Flag</strong> : <code>HTB{r3d1r3c73d_70_my_s3cr37s}</code></li> </ul> <h2 id="vue-densemble-de-la-vulnerabilite">Vue d&rsquo;ensemble de la vulnerabilite</h2> <h3 id="diagramme-du-flux-dattaque">Diagramme du flux d&rsquo;attaque</h3> <pre tabindex="0"><code class="language-mermaid" data-lang="mermaid">graph TD A[User Login + Attacker JWT] --&gt; B[AuthMiddleware] B --&gt; C[Extract JKU URL from Header] C --&gt; D{Validate JKU URL&lt;br/&gt;lastIndexOf check} D --&gt;|&#34;URL starts with AUTH_PROVIDER&lt;br/&gt;string-based comparison&#34;| E[PASSES] D --&gt;|&#34;Does not start with AUTH_PROVIDER&#34;| R[Rejected] E --&gt; F[&#34;Fetch JWKS from JKU URL&#34;] F --&gt; G[&#34;JWT Verification with&lt;br/&gt;attacker&#39;s public key&#34;] G --&gt; H[Auth Bypass] H --&gt; I[Flag] subgraph &#34;URL Confusion&#34; J[&#34;Validator sees:&lt;br/&gt;http://127.0.0.1:1337@attacker.com/...&lt;br/&gt;starts with AUTH_PROVIDER ✓&#34;] K[&#34;HTTP client connects to:&lt;br/&gt;attacker.com&lt;br/&gt;treats 127.0.0.1:1337 as credentials&#34;] end D -.-&gt; J F -.-&gt; K </code></pre><h2 id="analyse-source-to-sink">Analyse source-to-sink</h2> <h3 id="1-point-dentree---authentification-jwt-source">1. Point d&rsquo;entree - Authentification JWT (Source)</h3> <p>La vulnerabilite commence lorsque le AuthMiddleware traite les tokens JWT :</p>