Full disclosure: I know little to nothing about hacking. Using these hacks on sites (also your other video on JSON), wouldn't they be able to find you once you try to send a product bought on a site and send it to yourself? Hopefully you aren't sending it to your house.
Correct me if i'm wrong! but the main reason for using the JWT is to verify the user without the need to connect a database and compare the values? and also changing the values of the payload misses completely the signature , which already encrypted with secret key and should be rejected in the first place, if someone uses the JWT without verifying it somehow in their website he shouldn't use JWT at all, it's like giving access to everyone and trusting blindly every user!! Steps as far as i know : 1 - get the JWT 2 - verify the signature by decrypting it using the secret key (the most important), exp ... 3 - proceed to the next step (perform any action you need) if 1 fails, reject everything if 1 doesn't fail and 2 fails reject everything if 1 and 2 doesn't fail now you can go to the step three and perform the action
I'm a bit confused. I thought the whole purpose of the JWT being secure is that the token CAN'T be manipulated (without knowing the private key). When the KID property, EXP property, etc. was changed, I would assume the the server will immediately reject it because the signature would no longer match. Or is the JWT token being used differently in this example?
yea this wont happen why would you ever run or check something against the database if the Token isn't even verified. The first step is to always check the token signature and if that's invalid you just return. Why would you trust a token that isn't even verified?
The signature check just never happened, it swallowed the SQL injection while looking up the key id, before it even got to verifying it. However, I'm skeptical that this reflects the order of those operations in real-world implementations, as others have noted.
The point is that in order to check the signature is valid, you must handle and process the supplied header and payload. If that processing code isn’t written securely, you leave open the risk of an injection attack.
@@rainfallen1064 not sure I understand you’re point here. The difference is subtle, but the important thing to realise is that there’s nothing to prevent a JWT being changed, the security comes from being able to detect that it’s changed.
how did key-id with sql query from some table that gives you no useful information, give you the authorization to delete user? server side key id targets nothing and server does not throw an error so then it authenticates you?
While this is good one, it very much depends on dal layer which is by default prevented by dal fw. Also someone using jwt must be using some sort of lib, and not.directly doing jwt implementation. So might not be taht much practical in real world.... Not sure if there is some one that idiot in real world.who queries SQL directly.
from a developers perspective highly unlikely to happen that someone will query a set of keys to just verify a token usually, the public keys are stored in some form of cache for a lower response time, and the "unsafe headers" are not usually passed down directly to any query. if the key is not found in the cache the authentication fails
From an Application security Enginer pespective. It happens a lot in the wild, devs make mistakes, even when they are not aware. I saw tokens being only decoded(not verified at all), I saw exploits that occure when the Algorithm changes, heck I even saw sqlinjection from a jwt key(the actual key, not the value). You don't always have to actually reach full authentication to exploit a web server.
But the jwt tokens are created using a secret key in server . So if we change the payload then the server will not verify the token. Because the secret will be changed..So will this method work?
He's familiar with the database scheme/ structure via writeup or earlier challenges. What you can do is route the request via sqlmap with a tamper script that would decode the token, change a parameter to the sqlmap payload, and sign the payload token to the website. that way you can use sqlmap and fuzz the server. try it with every parameter. and you'd cover a lot of potential entry points.
@@SirAppSec I’m not familiar with fuzzing, but I have some man pages I can read on my kali distro. If I can get a grasp, I’ll give it a shot. Thanks for the advice. Seems like it would make things easier
same question I don't know jwt too much But are'nt they supposed to be encrypted based on some algorithms and secret key's 🤔🤔 Can someone explain to a noob please how this is possible...
Loi, I swear you're stalking me. I've just been doing labs all weekend on JWT and it was exploding my brain. Now you come along and make videos about this topic? Don't know if a coincidence or if you've hacked me
@@dotnet9830 yes, however after doing research. JSON is not a good tokenization protocol. Example: The token does not expire instantly, hence when you log out, you really don’t log out. The server has no clue about the factual state of the token. Therefore JSON token is not safe. Security protocol is non-binary it is either safe or not safe, not both or in between. Good security is my preferred implementation, therefore using Redis cookies/tokenization is much faster and safer. However setting up Redis is much more tricky.
Hi, here's a quick question if I may. New Formatted Win 10 system, install a few applications, suddenly I seen the mouse move and one of the desktop icon has been duplicated. I quickly shut down my machine, and rebooted it. Is that a way to try to steal the login id and access to an account? Should I reformat the computer again? thank you
i want my playstation account back i have nto been able to log in in years and stupid sony wont give me it back sense i dont got a 4 year old payment option i have no access to even thought ihave proof on bank statements and i have no access to a old email it might be on that or my account for sony got hacked .
Termux ضعيف و تحتاج الى بطاقة ويفي تسمح بالحقن تربطها مع مخرج usbو تطبق نفس الخطوات في كالي aircrack n-g moon-Wlan0 من الافضل استعمل كالي لأن الهاتف سيسخن بسرعة و البطارية تنفد و الهاتف يضيع
sir do video on mitmf installing in new kali release 2021 we are getting many errors while installing pls do a video of installing mitmf without getting any errors pls pls pls sir
Do you prefer Tom or Jerry?
Full disclosure: I know little to nothing about hacking.
Using these hacks on sites (also your other video on JSON), wouldn't they be able to find you once you try to send a product bought on a site and send it to yourself? Hopefully you aren't sending it to your house.
Hi 'Loi Liang Yang' Please You Can Do a Help For Me Please Please
Hi hacker loi sir,kindly make a video on kon boot please
Tom
I prefer myself 🤔
Correct me if i'm wrong! but the main reason for using the JWT is to verify the user without the need to connect a database and compare the values? and also changing the values of the payload misses completely the signature , which already encrypted with secret key and should be rejected in the first place, if someone uses the JWT without verifying it somehow in their website he shouldn't use JWT at all, it's like giving access to everyone and trusting blindly every user!!
Steps as far as i know :
1 - get the JWT
2 - verify the signature by decrypting it using the secret key (the most important), exp ...
3 - proceed to the next step (perform any action you need)
if 1 fails, reject everything
if 1 doesn't fail and 2 fails reject everything
if 1 and 2 doesn't fail now you can go to the step three and perform the action
Interesting technique, another scenario to add to my vuln checking, thanks for sharing
Brother, I love all your videos. They are concise, quick, no bullshit, no music and you could not have done a better job.
I'm a bit confused. I thought the whole purpose of the JWT being secure is that the token CAN'T be manipulated (without knowing the private key). When the KID property, EXP property, etc. was changed, I would assume the the server will immediately reject it because the signature would no longer match. Or is the JWT token being used differently in this example?
yea this wont happen why would you ever run or check something against the database if the Token isn't even verified. The first step is to always check the token signature and if that's invalid you just return. Why would you trust a token that isn't even verified?
The signature check just never happened, it swallowed the SQL injection while looking up the key id, before it even got to verifying it. However, I'm skeptical that this reflects the order of those operations in real-world implementations, as others have noted.
The point is that in order to check the signature is valid, you must handle and process the supplied header and payload. If that processing code isn’t written securely, you leave open the risk of an injection attack.
@@flymoracer because the ones listening to him are beginners and don’t know actual details?
@@rainfallen1064 not sure I understand you’re point here. The difference is subtle, but the important thing to realise is that there’s nothing to prevent a JWT being changed, the security comes from being able to detect that it’s changed.
how did key-id with sql query from some table that gives you no useful information, give you the authorization to delete user?
server side key id targets nothing and server does not throw an error so then it authenticates you?
While this is good one, it very much depends on dal layer which is by default prevented by dal fw.
Also someone using jwt must be using some sort of lib, and not.directly doing jwt implementation. So might not be taht much practical in real world....
Not sure if there is some one that idiot in real world.who queries SQL directly.
Is it possible to hack if MongoDB is being used?
Sir Loi, it was a great hacking tutorial! But now the thing is, how can "we" secure our JWT tokens and the websites using JWT?
how did you know which table you needed to insert into ?
Good question !!!
Did you really read those books thoroughly ?
from a developers perspective
highly unlikely to happen that someone will query a set of keys to just verify a token
usually, the public keys are stored in some form of cache for a lower response time,
and the "unsafe headers" are not usually passed down directly to any query.
if the key is not found in the cache the authentication fails
From an Application security Enginer pespective. It happens a lot in the wild, devs make mistakes, even when they are not aware. I saw tokens being only decoded(not verified at all), I saw exploits that occure when the Algorithm changes, heck I even saw sqlinjection from a jwt key(the actual key, not the value).
You don't always have to actually reach full authentication to exploit a web server.
me who was just thinking to save the secure key of the tokens in the database :🙄🙄🙄
But the jwt tokens are created using a secret key in server . So if we change the payload then the server will not verify the token. Because the secret will be changed..So will this method work?
He forgot to mention that the jwt token from his example are unsigned. I'm not sure why is he not mentioning this important part with jwt.
@@lighty262 not a serious hack just for video sake
Ok but what if the secret key is exposed in the JSON web token? Will that make this hack possible?
Good brief, Loi. Thanks. I touch on this subject for the PenTest+ class I teach. Useful content here.
I didn't understand how you knew the key?
Hey how did you learn to hack , like any courses or like college ?
Hello, Thanks for the video. How can we prevent this ?
We must have a long random key. Am I right?
how yo get a m3u8 link with only the token data which expire in 10 second interval and a new token data arrives ?
is it mean you have to know the server containing the key first?
How would you protect against this attack?
Woooww Loi Liang Please, please friend activate the subtitles (es) to be able to follow you more clearly.
x2
How did you know the location? Usually I’ve had to run sql multiple times to escalate ad find location names.
He's familiar with the database scheme/ structure via writeup or earlier challenges. What you can do is route the request via sqlmap with a tamper script that would decode the token, change a parameter to the sqlmap payload, and sign the payload token to the website. that way you can use sqlmap and fuzz the server. try it with every parameter. and you'd cover a lot of potential entry points.
@@SirAppSec I’m not familiar with fuzzing, but I have some man pages I can read on my kali distro.
If I can get a grasp, I’ll give it a shot.
Thanks for the advice. Seems like it would make things easier
I've also done this once in a CTF by setting the algorithm to none :D
Thank you Teacher Loi liang for the educative tutorials 🤝🏾.
U always have good vids! 👏 Keep going!
every website encrypt token different with different algorithms. I tried that website and it didnt tell me token information.
wait how did he know the name of the table?
So how can i protect my jwt from being hacked ?
Sir, How do i watch member only content?
So How can we use JWT safely?
I run linux but i can’t use anything because it’s telling me to remove Kali-menu when i try i get an error can anyone help me please?? 🙏🏻🙏🏻
yah, no properly encrypted tokens and no csrf... what could go wrong?
same question
I don't know jwt too much
But are'nt they supposed to be encrypted based on some algorithms and secret key's 🤔🤔
Can someone explain to a noob please how this is possible...
And what is the purpose of jwt anyway
If anyone could miss around with it 😓🤔🤔
Not all accounts have a delete button, they do have a encrypted password, or Gmail handles the password handling
Where telegram group for basic hacking step by step thanks you so much🤔
lol
@@prodbydramatic 😆😆😆😆😆
Bro ...Any Other Possible to find signature (Key)...Explain Bro
Loi, I swear you're stalking me. I've just been doing labs all weekend on JWT and it was exploding my brain. Now you come along and make videos about this topic? Don't know if a coincidence or if you've hacked me
Are you able to hack now?
How do you prevent this type of hack?
I assume using a verify signature.
@@dotnet9830 yes, however after doing research. JSON is not a good tokenization protocol. Example: The token does not expire instantly, hence when you log out, you really don’t log out. The server has no clue about the factual state of the token. Therefore JSON token is not safe. Security protocol is non-binary it is either safe or not safe, not both or in between. Good security is my preferred implementation, therefore using Redis cookies/tokenization is much faster and safer. However setting up Redis is much more tricky.
1 comment ur good men ❤️
What if pub or pvt key in place..? 😒
1:18 - "We're trying to remove the cats account"... That sounds so wrong lmao
Love all your videos dude... instead of hijacking an account I used it to turn my accounts into paid sub....
Hi hacker loi sir,kindly make a video on kon boot please
Holy crap.. my app depends entirely on the claims in the jwt :')
How to creat apk like open slot?
Really good and informative vid!
Make a video in sql injection
Sir pls can you tell me how to join your telegram
Hi, here's a quick question if I may. New Formatted Win 10 system, install a few applications, suddenly I seen the mouse move and one of the desktop icon has been duplicated. I quickly shut down my machine, and rebooted it. Is that a way to try to steal the login id and access to an account? Should I reformat the computer again? thank you
Hello,
How can I join your TH-cam channel from Pakistan?
Warm Regards.
Yehe , Exact , so how i can safe this in my web ?
there's tons of videos about this, but none about PREVENTION
Just use orm, or sanitize ur query before sending to db
Bro you scared me to death, my entire career is messed up because i use jwt token auth for users all the time
That's why I add en encryption layer. To make it "harder"
HI can anyone know how to watch video protected with pass word video master app
Everything on TH-cam about hacking is already exploited and patched
Is adguard DNS safe
Ur awesome, thank you for sharing😊😊
Yeah man, thanks for your vids!
you can help me for hack token?
Sir can you me how to hack random android password ?
How to hack RS256 Json web token?
Can u please make a video on that
Thanks for the informative video!
Keep Going 😇👌
i want my playstation account back i have nto been able to log in in years and stupid sony wont give me it back sense i dont got a 4 year old payment option i have no access to even thought ihave proof on bank statements and i have no access to a old email it might be on that or my account for sony got hacked .
Love your videos
Is hacking a sin?
You can use your power for good or you can use your power for bad. The choice is yours but don't forget consequences are real.
Tnx what u did. Pls can u upload video how to hack wifi pass with termux app??
Termux ضعيف و تحتاج الى بطاقة ويفي تسمح بالحقن تربطها مع مخرج usbو تطبق نفس الخطوات في كالي aircrack n-g moon-Wlan0
من الافضل استعمل كالي لأن الهاتف سيسخن بسرعة و البطارية تنفد و الهاتف يضيع
There is no translation available into Arabic
Yes.
You making it looks like a toy.
Amazing
Bro create video your roadmap in hacking
Keep up bro
Can you do a tutorial about what involves in a online game hacking?
Now that's i call real hacking
How to shutdown other peoples computer?
start with reading your name
@@bahahamdi503 🤣
@@bahahamdi503 lmao i had no other name
@@bahahamdi503 baha ha hahahahha
go to their home/office and click shutdown
This is bullshit. Just for contents sake.
I prefer Jerry
Super cool
Hi 'Loi Liang Yang' Please You Can Do a Help For Me Please Please
I think all technique on youtube block soon
Can you provide a video on how to install Kali Linux on PC 64bit
i love hacker loi to death but he’s starting to become a script kiddie
❤️
Can you play a game Grey Hack
Pink panther
Huh
Jesus Saves, John 14:6 amen 🙏🏾
OMG
sir do video on mitmf installing in new kali release 2021 we are getting many errors while installing pls do a video of installing mitmf without getting any errors pls pls pls sir
1st view
I don't remember asking tho.
@@jonttan03 easy bro 😂
Hi, may I ask what kind of token is this? And how to decode and encode this kind of token. FYAmWWi2cCtjIqwYtCllSGz-ZV3mZ5yRWQ_PK4RQR3A