JWT RS256 → HS256 algorithm confusion → admin

§ Context

Assumed environment: JWT-based auth, RS256 in production, but the JWT library doesn't strictly require the algorithm — accepts whatever the header says.

§ Steps

1. 01
   Exfil sensitive dataExfiltration

   T1041— Exfiltration Over C2 Channel
2. 02
   Replace token in Authorization headerLateral Movement

   T1550.003— Pass the Ticket
3. 03
   Identify JWT-based authReconnaissance

   W-RECON-FINGERPRINT— Tech Stack Fingerprinting
4. 04
   Obtain the RSA public keyReconnaissance

   W-RECON-API-DISCO— API Endpoint Discovery

   Often at /.well-known/jwks.json or a cert endpoint.

5. 05
   Forge HS256 token using public key as HMAC secretCredential Access

   W-JWT-ALG-CONFUSION— JWT — RS256 → HS256 Algorithm Confusion

   jwt_tool / jwt-cracker / by hand: change alg, sign with public key bytes.

6. 06
   Access admin-only endpointsPrivilege Escalation

   W-BFLA— Broken Function Level Authorization (API BFLA)

§ References

• T1041Exfiltration Over C2 Channel
• T1550.003Pass the Ticket

§ Frequently asked

What is the "JWT RS256 → HS256 algorithm confusion → admin" attack path?

Server verifies any algorithm declared in the JWT header. Sign an HS256 token using the public RSA key as the HMAC secret — server accepts it as legit. It chains 6 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Exfil sensitive data (T1041) — a exfiltration primitive. Assumed environment: JWT-based auth, RS256 in production, but the JWT library doesn't strictly require the algorithm — accepts whatever the header says.

What is the final impact of this kill-chain?

The final step lands on Access admin-only endpoints (W-BFLA), which falls under Privilege Escalation. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques2

  Origin IP bypass → direct attack on backend

  Find the real origin IP behind the CDN via CT logs / DNS history / SSL fingerprinting. Connect directly to origin, bypassing WAF + caching + rate-limit; run noisy attacks (SQLi / RCE) that the edge would have blocked.

• Shared techniques2

  Vesting beneficiary replace → silently drain stream

  Bug in a custom vesting contract allows anyone to call setBeneficiary on existing schedules. Replace beneficiary with attacker address; legitimate token stream now flows to attacker until released funds are noticed.

• Shared techniques2

  Apache Struts S2-045 (CVE-2017-5638) → Equifax-style breach

  Crafted Content-Type header is parsed as OGNL — execute commands as the app user. The 2017 Equifax breach origin: unpatched Struts endpoint exposed to the internet.

• Shared techniques2

  SAML signature wrapping (XSW) → impersonate admin

  Capture a legitimate SAML response. Re-arrange the XML so the IdP's signature still validates against the original assertion, but the SP parses an attacker-injected assertion claiming Admin.

• Shared techniques2

  MOVEit Transfer (CVE-2023-34362) → mass data exfil (Cl0p)

  Pre-auth SQLi in MOVEit's web UI forges an admin session. .NET deserialisation chain drops a webshell as SYSTEM. Cl0p's 2023 mass-exfil playbook: download every file under /var/files.

• Shared techniques2

  Citrix Bleed → steal authenticated session → MFA bypass

  Send a long Host header to a vulnerable NetScaler — memory disclosure leaks an authenticated session token already past MFA. Replay the token to log into the corporate VPN.