top of page
Search

PicoCTF 2023: Java Code Analysis

Updated: May 23, 2024

The Java Code Analysis challenge involved a web-based book shop application. The objective was to access a book that was only available to the admin by analyzing the source code and manipulating a JWT token.


Step-by-Step Walkthrough


1. Initial Exploration

Upon visiting the shop website, it was clear that a normal user had access to only one book. The goal was to access the book restricted to the admin.


2. Inspecting Developer Tools

Using the browser's developer tools, I navigated to the local storage and found two interesting items under "auth token" and "payload". These items contained the JWT (JSON Web Token) used for authentication.



3. Analyzing the Source Code

To understand how the JWT was generated and validated, I searched through the source code in the directory I downloaded it, using the command:

grep -R secret


Among the results, the file (SecretGenerator .java) stood out:

The filepath:

src/main/java/io/github/nandandesai/pico/security/SecretGenerator.java


4. Reviewing SecretGenerator. java

The SecretGenerator.java file contained critical information about the secret key used to sign the JWT tokens.

Key Excerpt from SecretGenerator.java:

class SecretGenerator {

private Logger logger = LoggerFactory.getLogger(SecretGenerator.class);

private static final String SERVER_SECRET_FILENAME = "server_secret.txt";


@Autowired

private UserDataPaths userDataPaths;


private String generateRandomString(int len) {

// not so random

return "1234";

}



The method generateRandomString was supposed to generate a random string but instead returned a hardcoded string "1234".

This string "1234" was used as the secret key for signing JWT tokens.


5. Manipulating the JWT Token

With the secret key ("1234") in hand, I used the website jwt.io to decode and modify the JWT token found in local storage using the following steps:

  • Decoded the JWT to view its payload.

  • Edited the payload to change the user role to Admin, email to admin and user id to 2

  • Re-encoded and signed the JWT using the secret key "1234".



6. Updating the Token in Local Storage

I replaced the original JWT token in the browser's local storage with the newly modified and signed token.



7. Accessing the Admin Book

After updating the JWT token, I refreshed the page. As an admin, I now had access to the restricted book. Opening the book revealed the hidden flag.



Comments

© 2025 by c@rtm@n

bottom of page