Taking over a website with JWT Tokens!
ฝัง
- เผยแพร่เมื่อ 12 ต.ค. 2024
- In this video, I'll talk about JWT (JSON Web Token) confusion attack. The confusion between implementing two types of algorithms (symmetric key and asymmetric key) is the root cause of the confusion attack. Using this, an attacker will be able to spoof his JWT token and give himself superuser/administrator permissions on the server.
Disclaimer: This video is intended for educational purposes only. All penetration testing shown here is done in a controlled environment (PortSwigger lab) and should not be attempted on live systems without proper authorization. I do not condone/encourage any illegal/malicious activities.
Here is the PortSwigger lab I used in the video: portswigger.ne...
Join my Discord: / discord
Follow me on Instagram: / teja.techraj
Website: techraj156.com
Blog: blog.techraj15...
Thanks for watching!
SUBSCRIBE for more videos!
This attack is useless if the server checks the DB for user roles which pretty much all of them do.
yasss.. when there are RBAC based actions.. but most of them rely on the token itself.. without querying db for every new req..
So just a validation can prevent it
@@Param3021 verify signature.. and only issue RS256 tokens..
it's not just about roles, many servers store user id as sub to identify which user is making the requests. If you can change that you can essentially use someone else's account
@@phaneendhraajaythota1025and why would you do that?
3:37 public key cannot be used to decrypt its only used to verify the private signed that message..
I store JWTs in the database and use middleware to confirm the existence of the token with each subsequent request. If the token isn't in the database, it means we didn't assign it, so absolutely no access for that poor hacker 😆. He should really feel ashamed at this point!
Then why use JWT and not sessions?
Video starts at 4:56 if you already know what JWT is
Thanks a lot
From all the videos I've been watching all these while, yours would be the only legit Informative ones... Man, you're supposed to be elsewhere... Hats off brotherman
This isn't a vulnerable in JWT but a skill issue in the dev's end.
Jwt has 3 strategies.
1: Allow List
2: Deny List
3: JTI matcher.
This attacking is useless for allow list strategy.
Jwt is not about encryption, it as about signing. Only private key can be used for signing, public key is used to validate signature. I guess something wrong with your application, not jwt mechanism.
How can I as junior backend developer avoid this vulnerability 😢
as a backend dev you should know already tbh
its just a frontend thing unless the backend is an open api with 0 permission checks
every request requiring permissions those permissions need to be checked
@@dogefluvial7697 depending on what you said l won't face this vulnerability if I specified the premissions and used the honeypot so it's more simple than I expected
Prob just by using frameworks from 2024
Great video as always!
I wonder how many websites have this kind of bug. Good luck
why do you want to implement HS256 at all? if you are a new dev you may want to because of simplicity but not a big task to convert to RSA256.
what is the use of public key? data is encrypted and decrypted using a private key, and if you can encrypt data through public key, then it loses its meaning of security, or can you only check the authenticity of a signature through public key?
PS and why not just use HS256
Weird.
First of all why do you encrypt your token with assymetric key?
And what the heck is this logic at 4:05
Is the attack useful if hs256 isn't configured? like in 4:05 if the elif statement isn't there, then will it work??
no
where can i find the public key in the real websites?
Awesome video! Actually learning what hacking really is
Awesome buddy 🔥🔥🔥🔥〽️
Please I need your help 😢
I fix the issue by only verifying the signature if it's RS256 and deny the rest.
In real scenario where to get that public key
its found on cokies or localstorage on client (browser)
Anywhere for sure 😹😹😹😹
2:24
Totally wrong information, We can nicely store sensitive data within a JWT and there's 0 possibility to decode this with knowing the secret, Just make sure keep your JWT secret strong.
Nope you can decode jwt without private key
The Music is to Loud But great video
new settings. nice.
We store JWT in HTTP only cookies
Nice video , Loved the content
I need help
Please remove him from shadow ban YT 😠
❤❤
Algordim
Every realm has rbac kid 🤣
3:20 i guess, you had interchanged those terms private key -> Encrypt, Public key -> Decrypt, it should be:
Private key -> Decryption
Public Key -> Encryption
Correct me if I am wrong, overall the video was amazing, really learnt something new...
Asymmetric Encryption vs. Signing
1. Asymmetric Encryption:
In traditional asymmetric encryption, you encrypt a message with a public key and decrypt it with a private key. This ensures confidentiality.
2. Digital Signatures:
When you sign data (like a JWT), you create a hash of the data and then encrypt that hash with your private key. This process doesn’t provide confidentiality but instead ensures integrity and authenticity.
Chat GPT
FIRST :)
What the heck is this logic at 4:11 ?? 😂 this logic totally defeats the purpose of private key
People really need to learn what HMAC , RSA actually is and how jwt works
HMAC encryption never ever uses a public key . If a server client follows HMAC then they share a secret key which is a private key which only the server and client knows and its not shared with anyone. Server use this private key to verify the token.
The RSA encryption method uses public and private keys. Private key is kept secret in the server and server uses that private key to verify the token.
No matter what encryption method you choose, private key will always be used to verify the token.
If you are using public key to verify the token on server then 💀
Idk what this guy have hacked in this video 😂. Goodluck hacking other websites
olgoridm😅