The user-auth-service of Unguard uses a vulnerable version of the library
jwt-simple <0.5.3
that allows you to forge a JWT token to authenticate as another user.
- Improperly Implemented Security Check for Standard (CWE-358)
- Signature Verification Bypass (SNYK-JS-JWTSIMPLE-174523)
For this exploit to work you need:
- unguard deployed and running, specifically, the user-auth-service
- unguard-exploit-toolkit set up
Further details can be found in the user-auth-service project.
To forge a JWT token provide the desired usertag (a combination of username:userid) to the CLI after logging in with another user first.
Attention: The username and user ID have to match, otherwise the forged token will not have the right permissions.
$ ug-exploit login bob
$ ug-exploit forge-token admin:1Now you can either use ug-exploit with the forged user (logged in automatically) or use the forged token, which is printed to the command-line manually.
You can now use this token and add it to the cookie named "jwt" as a value (for example in Chrome -> Developer Tools -> Application -> Cookies).