How Hackers Hack JSON Web Tokens
Vložit
- čas přidán 21. 10. 2022
- // Membership //
Want to learn all about cyber-security and become an ethical hacker? Join this channel now to gain access into exclusive ethical hacking videos by clicking this link: / @loiliangyang
// Courses //
Full Ethical Hacking Course: www.udemy.com/course/full-web...
Full Web Ethical Hacking Course: www.udemy.com/course/full-web...
Full Mobile Hacking Course: www.udemy.com/course/full-mob...
// Books //
Kali Linux Hacking: amzn.to/3IUXaJv
Linux Basics for Hackers: amzn.to/3EzRPV6
The Ultimate Kali Linux Book: amzn.to/3m7cutD
// Social Links //
Website: www.loiliangyang.com
Facebook: / loiliangyang
Instagram: / loiliangyang
LinkedIn: / loiliangyang
// Disclaimer //
Hacking without permission is illegal. This channel is strictly educational for learning about cyber-security in the areas of ethical hacking and penetration testing so that we can protect ourselves against the real hackers. - Věda a technologie
What does JSON stand for?
Btw nice videos keep it up
JavaScript Object Notation❤️
JavaScript Object Notation
Java's Son on Nite
Jesus Christ… that’s JSON Bourne!!
this is a very vulnerable backend that won't exist in real world
Thanks for the tip, i immediately stopped watching the video after reading your comment.
Details needed if want you to oppose a video , otherwise it's just your word against his with no proof , In short no one will care
@@RichardPhillips1066 alg:none is not accepted by any real world website. Also storing password in JWT as MD5 hash is even more stupid
Yes this site is intentionally vulnerable as a learning tool, but you'd be surprised what fuckery people do when they're lazy
@@SergeiKarimov both has happened a lot and may even still be happening. But this is a webgoat which is meant to demonstrate why it is not a good idea to forget about alg:none.
I've recently began using JWT tokens, after seeing the title I figured I'd better watch this. I then learned that no developer would ever make this mistake and gave up watching anymore
Lol. You're wrong then. Quick to judge, fool. Plus, you didn't end your last statement with any closing mark(s). 💀🤡
O.o Plenty of bounties rely on these API keys since API keys are barely looked at by most security people, and by most web developers, as plenty of successful ethical hackers explain they get paid a ton by these exploits. Many don't encrypt keys, leave them out in the wild, and then they're weak algorithms to begin. They're not encrypted, they're just hashed. So, you're just wrong on that.
A lot of haters in the comments, but plenty of us realize plenty of people do make their sites vulnerable with bad API keys. Lol. Just as many say they wouldn't use a default password, or fall for phishing, but many do. 💀💀💀🤣🤡😅
Nope if i wrote that backend.
1. Never put password in payload.
2. Password should be hash not encrypt
3. if the algorithm does not exist in header of JWT then it returns 401
Can still you beat that?
Let me know
He also used md5 which was broken like 15 years ago. Even if you put password hash in JWT by mistake, if it was any decent hash like SHA256 he wouldn't be able to do anything
@@IvanRandomDude anyway, what kind JWT sistem does't verify incoming JWT, right?😂
@@IvanRandomDude looks like the video is just for entertainment
yep, true.. always remember, never put password in JWT payload.. even if u already bcrypt the password, still, don't ever put it inside JWT payload..
Noone can, just targeting high rank keywords for hackers dumbs for views
Good in theory but in practice, everyone would use a secret key with jwt so you wouldn't be able to decode it like that, then passwords would be hashed and not encrypted, and they shouldn't appear in the payload. It's like lockpicking an already opened safe
The original JWT did have a secret key (using the RS256 type). He intercepted and sent over a perfectly valid JWT after modifying it. The real problem is that the backend server accepted the "typ: None" JWT. When it should ONLY be allowing and validating "typ: RS256" JWTs. The backend server is poorly misconfigured.
You would be able to decode it, but not to forge it like this. Any normal web backend would check the signature of the JWT and notice that it is forged, and that's where this attack would stop.
Exactly. only the jwt token without passwords and email. should appear on the payload. 👏👏👏
exactly
@@pixelotetm and id should be a guid, not the number
No one will put passwords inside a JWT, because you use JWT as an encrypted personal token that holds basic user info that helps to simply identify that user, mostly through a user id (uid), uuid, username or email. It could happen obviously that there is a dev out there that will put the password in it, but then that guy will probably work for a company that isn't even worth mentioning in the first place, lol.
Hello, what is the way that we can get the details of the registrar of a website when the information is displayed secretly on the DNS collapsing websites? For example, the registrant's email or any other information? Because some hostings display this information secretly? Is there a way?
This is highly unlikely situation, but yeah a determined hacker and a foolish developer, anything is possible.
what if there is only the user id stored in the token for eg i use that
Hi! A while ago, I tried applying for a job, and then this lady sent a link, saying it’s software that will be used in applying. So, I downloaded it to my PC and extracted it from the download folder. After installing it, a message popped up saying that my files were gone and I needed to pay to get them back. They are also threatening to sell it on DarkWeb. Is there any way to get my files back without paying? I can’t pay because I don’t have money and there’s no assurance that they will give back my files.
Do a roll back if you are on windows, back to a previous saved point.
Video Suggestions:
1. Video About wireshark And wifite
2. Video on how to hack any pdf's password with "rockyou" wordlist
3. Make a video about anonymity with kali "whoami"
4. A video on how to dual boot Kali Linux
5. A video a on BYOB Botnet
6. Full tutorial about Burpsuite
what kind of backend does not verify jwt?
You explain like a learner not a tutor and we understand as a master trainer ! Too good! From india
Sir awesome your explain....which year did you learn hacking course?
Hello
Can you help me my microsoft account got hacked and you seem as you can get it back i already contacted microsoft but they said they cant access it either because he changed the security Informations so please help me and if you cant do you know someone who can ?
Does samsung knox protect the phone from hacking
ok, ignoring what others have already pointed about displaying the password in the token payload and using insecure algorithms... Why is the password even there? you just sent a jwt with the admin username and your password, so either the admin password is the same as yours -and an important step of this video is forging a token for the user you are trying to impersonate- or the backend just doesn't check anything at all and you could just sent an empty jwt with role admin and call it a day.
Site who dont check for jwt signature deserve to be hacked
Thats tutorial only for entertainment purposes 🤣
Thanks! I've been searching how to get it and this is brilliant :D
JWT are used for many years. Standard technology. If there was a flaw in this tech making it hackable would you first hear it on youtube? These are entertainment videos, if you fall for the style of this guy.
Loi Yang , I saw this video what if you change the role customer to admin ? Would it be more easy to bypass I guess ? Or I am wrong ?
Please I need your help someone is trying to hack my website by creating multiple user account what can I do
You don't put passwords (even hashed) in JWTs
You check if the hashed passwords match and then you never use the password again. You use JWTs and you refresh them.
On top of that he used md5 hash that was broken like 15 years ago and it's easy to reverse.
@@IvanRandomDude you are confusing preimage resistance (which is still strong for md5) with collision resistance (which is the weak point of md5). While it is still not easy to reverse an md5 to the original value, you can find other values that will be hashed to the same encrypted sequence.
Passwords never appears in JWT. Just ids or roles. And we verify the token with certs every request so its not a problem :P
Wow your the real Mr.Robot with full explanation. Thank you for the video.
I learned a lot from you
Thank you my beautiful teacher loi
I wish I could shake hands with you in real life ❤️❤️🌹
im junior web frontend, i use jwt in nextjs. but i create my backend(nestjs) app to set secret in jwt and never set password in the payload of jwt just set sub/id and ername/email. i think in the production people never set password in the payload and will set jwt secret. cmiiw
So this website does not verify the token and its signature before processing any requests, right? 😅
Nahh u only have those info because ypu are logged in though...
@@yoonahworld Nah~ every systems I have developed, i will check that user and token signature match with data in cache (like Redis) at least.
This is a rather poor example of abusing JWT's, JWT's are never used raw like this, it's common practise to sign them with an algorithm + secret so that the API can verify it has not been tampered with.
Awesome tutorial Loi! As always thanks for sharing!
LMAO!! I was rolling with that "super secure password"
explain about how we can exploit a camera over network
Usually the password is never contained in the jwt for security purposes....
The point of the video is not get the password in the jwt. Is forge it
i think the only time the password will appear is if the developer set it as "1" in Controller....
How to gunzip a compressed payload?
Nice video, but when I use the MD5 decoder it comes back as "Bad Format"... Doesn't work.
how do you get past the secret
Great. I can prevent hacking by your video. Thank you.
He demonstrated the most basic alg:none exploit which you won't meet in a real world
This is if u try to hack a noob developer :D
JWT_Tool automates the task but most of the websites have protection against the None algorithm attack
I tried and it is installed thank u very much anda
Given up on members only? Either way, excellent vid! Any chance you could do a tutorial on c2?
wdym by tutorial on C2, its just command and control from server - client / client - server setup, idk what kind of tutorial you need in this 🤔
Please make a video on captive portal setup on router🙏❤️
CAN YOU HELP MAKING VIDEO ON GETTING ACCESS TO SAVED PASSWORDS On ANDROID APPS OR PASSWORDS SAVED IN BROWSERS.
hold on a second, who made that JWT? how would anybody add password there! that's nonsense. More than hacking this is just bad software development example on that website creator 🤔
Have you ever thought about doing digital forensics? so you know what forensic investigators look for to catch hackers and you can know how to evade that detection.
he exploits very basic vulnerability alg:none which is virtually impossible to meet in a real world
@@SergeiKarimov I was talking about the phase of covering tracks... similar to how you would disable auditing, delete logs and then use cipher.exe to overwrite the deleted files to cover tracks.
how does one hack slmail?
Thank you so much you really help me :)
this is a bad implementation of the standard. Especially the password and the algorithm which we must enforce on the backend and never take it if it is none...
you deserve to be a comedian 😆
he is not?
Why would the server respond as OK at 11:43 if the password in the json token for the admin account is possibly wrong?
well you're right, but fun fact the admin password is 12345678 too.
Why??
This is basically "How Hackers Hack minecraft fanblog not updated since 2010 written by a teenager as a first website project". Plaese have some decency to provide information about how extremely insecure an api has to be for it to work. At least explain how JWTs work and how they are protected if you're "teaching".
Which is why no framework/library/website allows alg:none by default.
what foolish developer would even put their passwords in the JWT claim?
Hi i’m new here how can i get membership ?
The password is in the claims of the jwt?!? No one does that. And if they do they should not have
MD5 can't be decrypted unless you have a dictionary, so this wouldn't work in real life if the owner of the system is not that predictable, but I always watch your videos because you explain so well everything. Keep up the great work!
Ever heard of rainbow tables? Also there are all sorts of MD5 decryption programs. And shitty password security is one of the most frequent vulnerabilities hackers use. But nowadays no framework/website will use MD5 by default. Or allow alg:none in JWT.
LinkedIn got hacked in the past due to md5 hashing their passwords. I suggest not to do it ;)
@@kimgysen10 wait, seriously? they really used md5?
@@Andreas-gh6is Yes, but at the same time if you salt your hash, the attacker may never crack it
how about bcrypt? is it better than md5?
My Facebook account hacked not showing in Facebook help me to recover I don't have money plzz help
I'm learning about JWT and you explained it better
anyone who doesn't know how JWT works will say he's the best.
that's tutorial for entertainment purposes only 🤣
He explained how not to use them.
Password in jwt is nuts. Then why use jwt at all, might as well use basic auth. On top you have TLS,. You can't really steal the jwt, unless you make some extremely complicated XSS attack that probably won't work after all when you're lucky enough to ever get a script into the site. Even then, you can't steal it unless the developer put it somewhere where you can reach it, which you probably can't. To hack a site with even just the most default measures, you have to be very, very motivated to hack it. For the majority of sites it's just not worth the time, and for those that are worth it, this isn't going to work.
Exactly! jwt is used in place of a password. It's like a password in a sense but only valid for short period of time. so if you do manage to get a user's jwt. you have to use it within a short period of time ( usually less than 4 hours ) before it becomes invalid and prompting you to login with the real password. Taking into account the effort and time needed to steal a valid jwt. You have to use it immediately which will alert the user to a breach! furthermore there is nothing you can do to extend the expiration date. absolutely not worth the effort. I would rather try to steal the real password instead.
Just make sure to use REDIS to validate the token.
Everyone, don't be too harsh on him, he's doing this for the general public. Not for programmers. Of course no serious site uses this sort of plain data without salt etc.
:3 Plenty of bounties rely on these API keys since API keys are barely looked at by most security people, and by most web developers, as plenty of successful ethical hackers explain they get paid a ton by these exploits. Many don't encrypt keys, leave them out in the wild, and then they're weak algorithms to begin. They're not encrypted, they're just hashed. So, you're just wrong on that.
That backend is bonkers
Nice video, it works!
Excellent video. I am now trying to hack my own API 😂😂.
If we provide algorithm while decryption then we can avoid this attack
What
Yes, just check the token algorithm and verify its signature for any requests
Lol is very vulnerable backend. Stores the password of the user in the JWT, it doesnt make any sense, cause this is the purpose of the JWT
can you beat Bjorka?
backend devs are suposed to DO NOT send back the password.
He lost me when he said " change the token to admin " doing so invalidates the token. The server will reject the token !!
But the server didn't though! Changing the type to None made the token valid again because it doesn't need a signature anymore. The server is intentionally misconfigured to accept None typed tokens.
@@Elte156 Oh... why would any developer accept an unsigned token?
@@macctosh they wouldn't intentionally. There was a few auth0 articles about notifying JWT library maintainers to check against this exploit back in 2020. Using "None" has an internal use case and it is valid according to spec.
@@Elte156 Wow... I didn't know... thanks.
Hi Loi. Nice video - would you recommend sessions for API's that need more security ?
haha
there shouldn't be a password claim in the token
Hello Mr yang are you available to hire
Hi Chriss, chat my telegram ☝️
Yes Bro nice work and nice video
Hi sir! Please sir can you please help me. I've been scammed. I don't know what to do anymore. For the chance of taking my money back I ask for help of people i thought will help me but they just ask for money an they give my money back instead they got money from me. Please help me sir. I cant sleep anymore
could u maybe try to figure out a prevention for this.....ya know before you post this code tutorial that a criminal may use to steal from to the public internets???
1) Don't put the password, or anything intended to be secret, in the JWT
2) On the backend, make sure the specified algorithm is the one you expect (and definitely not none), and that the signature is correct (which an attacker can't forge after modifying data unless they know the key, which should be a secret)
I don’t understand why you would put a password in a jwt the server already has it. But if it did it would be salted and sha256. Md5 was like 15 years ago and even then it would still be salted.Also algo:None doesn’t work on real websites.
Thanks!
Hacker Loi this is great info. How do more of this kind
Which best to learn C or C++
c++
Why c++ is better than C
Pls help. How to hack the location of the person using phone number? I also need to hack his computer and phone to delete some photos 😭😭😭 pls help me.
Hi Sandra, chat my telegram
you are awesome
hey man I am from africa and I dont have the money to be an exclusive member so i was just asking if you could give me a pass to your membership
💜💜sir plz your hacking lab setup please 💜💜
Make a video on Openbullet 2
Yeah, I'm using whitelist.
Also the only thing I'm puting in my payload is user id which is in uuid, good luck finding the admin.
A way to talk with you 🥺
Computer specs reveal plsss
well, thanks mr Loi
Hey guys Let me know, where are you from?
Comment below
I'm from India 🇮🇳
this is tutorial "how to make JWT inside your app authentication hackable"
We want discord
There anyone have discord for learn hacker?
Send to me
This is really unrealistic. No professional programmer worth their salt would ever right a backend like the one you hacked. Good programmers never store sensitive data in a cookie, they don't use outdated MD5, and they use private keys or other tokens to encrypt.
Please😭😭😭😭 can u creat wifi hack in termux
This is the problem for all web backends that are written in js
Jet Skis on Neptune
Now I know how to hack Jason's password. Didnt knw every was after him as well.
Ah yea, the good ol' md5 hashed user password inside jwt claims. Classic
I won't answer that for you Loi
thats overly simple, all based on unsecured cookies and only encoded. This is early 2000's hacking ahahahha