Damn doing Unearthly shop with the Guzzle gadget was cool. I ended up doing a dirty for loop to test every payload in phpggc and found some of the monolog ones work in the frontend, so my serialized object was just like yours, except with a boilerplate phpggc payload as the second element of the array. Your way was cooler though!
I have a question about Didactic Octo Paddles challenge, i didn't understand why we need to inject none but not all small case if that's the case we can insert any different string right? because "string"=="none" is always going to be flase either "None" or another "string"
Hi Ahmed, great question! If you look at the code at 44:08, lines 27-29 show the code which is run if the algorithm wasn't "none" or "HS256". In this instance, the algorithm is still provided to the verify function (line 28), which means it has to be a valid JWT algorithm according to the JWT library being used. So if "string" were used instead, the verify function would fail and the user object would be null. Since algorithm names are case-insensitive in JWT, we can provide either "None" or "nOnE" or "NONE" etc, get past the main check for the string "none", but still allow the application to verify the JWT. Hope that helps!
@@Tib3rius didn't check the notification so here I'm responding after 3 weeks xd. Yeah I totally get it thanks a lot for explaning & sorry for late answer.
Damn doing Unearthly shop with the Guzzle gadget was cool. I ended up doing a dirty for loop to test every payload in phpggc and found some of the monolog ones work in the frontend, so my serialized object was just like yours, except with a boilerplate phpggc payload as the second element of the array. Your way was cooler though!
Ah that makes sense. I think I missed that gadget. Tbh I'm glad I went the more manual way and found the PDF, taught me a lot.
I have a question about Didactic Octo Paddles challenge, i didn't understand why we need to inject none but not all small case if that's the case we can insert any different string right? because "string"=="none" is always going to be flase either "None" or another "string"
Hi Ahmed, great question!
If you look at the code at 44:08, lines 27-29 show the code which is run if the algorithm wasn't "none" or "HS256". In this instance, the algorithm is still provided to the verify function (line 28), which means it has to be a valid JWT algorithm according to the JWT library being used. So if "string" were used instead, the verify function would fail and the user object would be null. Since algorithm names are case-insensitive in JWT, we can provide either "None" or "nOnE" or "NONE" etc, get past the main check for the string "none", but still allow the application to verify the JWT.
Hope that helps!
@@Tib3rius didn't check the notification so here I'm responding after 3 weeks xd. Yeah I totally get it thanks a lot for explaning & sorry for late answer.
No problem, glad I could help!
Nice work. I did not get UnEarthly Shop during the CTF. :(