Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

JWT Editor extension fails to resolve lab JWT Algorithm confusion

Juan | Last updated: Aug 13, 2024 10:56PM UTC

Hello, I was asking for help on a specific problem trying to solve the JWT lab: authentication bypass via algorithm confusion, basically I can achieve all the steps except the last one which is to sign the JWT token with the RSA public key that was transformed to private key for the HS256 algorithm, the extension you click on sign, choose the key and when you give sign does not update the signature, does nothing, therefore one sends the request but as it is not modified follows the 401. What can I do about it?

Michelle, PortSwigger Agent | Last updated: Aug 14, 2024 01:37PM UTC

Hi Thanks for getting in touch. I've just been through the steps for the lab and was able to use the solution to solve it. Can you tell me a bit more about your setup, please? Are you using the installed version of Burp or do you launch Burp from the CLI using the JAR file? If you launch Burp from the CLI, what command are you using? Can you also email the output from Help > Diagnostics to suport@portswigger.net?

Juan | Last updated: Aug 14, 2024 08:02PM UTC

Hi I am using burpsuite professional 2024.7 version with JWT Editor extension installed from burp, I use jdk 22.0.2, is there anything I should downgrade it?

Michelle, PortSwigger Agent | Last updated: Aug 15, 2024 02:15PM UTC