Cracking JSON Web Tokens

Подписаться 770 тыс.

Просмотров 56 тыс.

50% 1

00:00 intro
00:25 JWT primer
01:54 JWT vs SessionIDs
03:30 Code review
06:25 Testing our JWT
09:02 Cracking JWTs
11:38 Decode vs Verify
13:15 Further study
Pentests & Security Consulting: tcm-sec.com
Get Trained: academy.tcm-sec.com
Get Certified: certifications.tcm-sec.com
Merch: merch.tcm-sec.com
Sponsorship Inquiries: info@thecybermentor.com
📱Social Media📱
___________________________________________
Twitter: / thecybermentor
Twitch: / thecybermentor
Instagram: / thecybermentor
LinkedIn: / heathadams
TikTok: / thecybermentor
Discord: / discord
💸Donate💸
___________________________________________
Like the channel? Please consider supporting me on Patreon:
/ thecybermentor
Support the stream (one-time): streamlabs.com/thecybermentor
Hacker Books:
Penetration Testing: A Hands-On Introduction to Hacking: amzn.to/31GN7iX
The Hacker Playbook 3: amzn.to/34XkIY2
Hacking: The Art of Exploitation: amzn.to/2VchDyL
The Web Application Hacker's Handbook: amzn.to/30Fj21S
Real-World Bug Hunting: A Field Guide to Web Hacking: amzn.to/2V9srOe
Social Engineering: The Science of Human Hacking: amzn.to/31HAmVx
Linux Basics for Hackers: amzn.to/34WvcXP
Python Crash Course, 2nd Edition: amzn.to/30gINu0
Violent Python: amzn.to/2QoGoJn
Black Hat Python: amzn.to/2V9GpQk
My Build:
lg 32gk850g-b 32" Gaming Monitor:amzn.to/30C0qzV
darkFlash Phantom Black ATX Mid-Tower Case: amzn.to/30d1UW1
EVGA 2080TI: amzn.to/30d2lj7
MSI Z390 MotherBoard: amzn.to/30eu5TL
Intel 9700K: amzn.to/2M7hM2p
G.SKILL 32GB DDR4 RAM: amzn.to/2M638Zb
Razer Nommo Chroma Speakers: amzn.to/30bWjiK
Razer BlackWidow Chroma Keyboard: amzn.to/2V7A0or
CORSAIR Pro RBG Gaming Mouse: amzn.to/30hvg4P
Sennheiser RS 175 RF Wireless Headphones: amzn.to/31MOgpu
My Recording Equipment:
Panasonic G85 4K Camera: amzn.to/2Mk9vsf
Logitech C922x Pro Webcam: amzn.to/2LIRxAp
Aston Origin Microphone: amzn.to/2LFtNNE
Rode VideoMicro: amzn.to/309yLKH
Mackie PROFX8V2 Mixer: amzn.to/31HKOMB
Elgato Cam Link 4K: amzn.to/2QlicYx
Elgate Stream Deck: amzn.to/2OlchA5
*We are a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for us to earn fees by linking to Amazon.com and affiliated sites.

Наука

Опубликовано:

29 июл 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 93

@crusader_ Год назад

Please Make an hour long video if need be. I'll watch it.

@IamFrancoisDillinger Год назад

Idc if a JWT video turned into an entire course, I'd buy it....and watch it. More JWT content!

@biplobmanna Год назад

+1 for more JWT content

@hafribilal Год назад

+10 for more JWT content

@SheeceGardazi Год назад

@mfsbo Год назад

This is one of the best demo code I have seen with video explaining clearly. Keep doing more of these. ❤

@NoNonsenseScalping Год назад

You're a great instructor. Keep it up

@biokode Месяц назад

Would absolutely freaking love a JWT deep dive 🤩

@MirkoVukusic Год назад

Very clear explanation. I'm all for deep dive too. Make it a series if needed.

@aaftabahmed6876 Год назад

yes , I am excited to see more content on this ..... Like you said header injection and all . I 'll be waiting for next video.

@SplitUnknown Год назад

Please make full deepdrive on jwt

@xjamps Год назад

JWT Deep dive please!! Thank you!

@hashamkhan7951 Год назад

Yes, we love watching more videos

@pabloreydaniel Год назад

you are awesome!!. very clear and informative. deep dive into jwts!!. keep up!!.

@philipschlesinger7595 Год назад

Yes please make a deep dive of JWT attacks!

@SlowMowLife Год назад

Yes we would like to, thank you for the effort!

@cervece41 Год назад

I would definitely watch a jwt deep dive, looking forward to it!!

@youcef2851 Год назад

that was great and simple thank you

@youcef2851 Год назад

@darkside_hackers.... you guys still exist ?

@a5tr00 Год назад

yes please! Btw, very comprehensive way of explaining things! 👍

@valghyna7668 Год назад

Nicely put together

@nagrajcool Год назад

Yes would love more content on JWT

@SonAyoD Год назад

Super insightful! We need a deep dive!

@Kinoti9 Год назад

Great video, excellent explanation, I would definitely watch however long the video might be.

@tiagosutter8821 Год назад

Great content, thank you

@faisalalhoqani6151 Год назад

It's a great demonstration we will be happy if you go deep into it. We have to know how to protect our work.

@tusharabbott Год назад

Would love to see JWT Deep Dive

@ca7986 Год назад

Amazing content! 🤟

@pentestingpurpose9571 Год назад

Yes please, those videos are very usefull.

@JohnoScott Год назад

This is an important topic to me. Would love another video that goes deeper.

@COLMANRYAN62 4 месяца назад

Great Video!

@Dude29 Год назад

Great video!

@friedpizza262 Год назад

Always using jwts but never taken the time to learn more about them. I'm all in for a deep dive!

@ibrahimmuhammad4194 Год назад

Thank you!

@Vlad1998996 Год назад

go on. It's very useful

@vinod.j7469 Год назад

Yes sir make a jwt deepdown I loved to watch, its very useful to me

@Dygear Год назад

This is a great video! Do you have any experience using JWTs in place of cookies?

@ahmed_pinger Год назад

Awesome Video ♥️♥️, please deep dive video

@dimuthdeja7859 Год назад

Good explained it. Please make more videos. I am not miss it.

@e-francis Год назад

Willing to watch a JWT deep dive

@BHFJohnny Год назад

I am absolutely for a JWT deep dive 👍

@nightninja8128 Год назад

3 hour video about JWTs sounds great. Also, what application were you using to test?

@RonalsonFilho Год назад

JWT deep dive FTW!

@reubenroyal4234 Год назад

We are willing to watch it and have the patience, so please make it lol

@bonesseben5682 Год назад

Please do!!!! So cool. I promise to watch ;-)

@briantoo4390 Год назад

Nice Video

@OpeLeke Год назад

great tutorial

@kodukoders Год назад

YEs i want to watch it

@angryman9333 Год назад

Wow idk it was the fact u were using JS or im already familiar with this kinda stuff, all i know i really enjoyed watching.

@oah8465 Год назад

fantastic video, can you share the git-hub repo so we can tinker around with the code

@rakhisingh9797 Год назад

bro pls tell what can do to secure jwt token?

@VishalPatelblogjocker Год назад

What is solution to prevent brute force?

@hazed69 Год назад

We would love to watch jwt deep dive

@karthiklingala5673 Год назад

Please make a video on algorithm confusion and header injection

@OMER3-1-3 Год назад

More JWT content!

@chinmaydivekar8837 Год назад

Please make deep video on JWT security testing.

@TheGameCrafter Год назад

I'd watch it

@ogunsanmimichael Год назад

Quick question, if I get access to someone else's token and use this token to make requests to a server, will the server recognise that I am not the original owner of the token?

@2332Werter 8 месяцев назад

please, make the complete vdeo.

@ASecurityPro Год назад

More JTW please

@sergeantosiris Год назад

Awesome

@OneIDtech Год назад

Make a video on how best to secure jwt from these attacks.

@ukaszgeras6600 Год назад

more jwt. please

@abhishekmorla1 Год назад

JWT deep dive please

@rodolfocabralneves8279 Год назад

How about I use JWT in a HTTPS connection ?

@d3line Год назад

Https protects against random computers intercepting the traffic, but does nothing to protect your cookies/jwt/whatever else from user manipulation

@gosnooky Год назад

I feel better now that my application uses a 64-character alphanumeric string

@angryman9333 Год назад

Please Deep Dive JWT

@rosehacksyoutube Год назад

More JWT

@whiteshadow7810 Год назад

Thanks dude , but i'm as a developer , we create secret key from hash 32bite so t think is to hard to crack JWT

@stephenarthur1119 Год назад

5:02 *request :)

@PAIN_HANDLE Год назад

Can you make a video on Linux server administrator

@PAIN_HANDLE Год назад

In depth

@b.i_khalil Год назад

JWT DEEP DIVE PLEASE❤

@yaswanthkumar409 Год назад

JWT deep dive

@souvickdas5564 Год назад

In algorithm part we can exploit by specifying "no algorithm"

@st8113 Год назад

The widely used jwt libraries force you to specify an algorithm for verification.

@SplitUnknown Год назад

♥️

@jayeshtharani Год назад

How to prevent JWT from decoding?

@st8113 Год назад

JWTs are meant to be decoded. You CAN encrypt an entire JWT, but this isn't super common.

@jayeshtharani Год назад

@@st8113 thanks.

@mikehill3426 Год назад

Vocal fry is a thing.

@privilegedesign8745 Год назад

Make long video jwt

@gihanrangana6248 Год назад

what if we encrypt the jwt token with crypto ex: const token = crypto.AES.encrypt(jwt.sign({...payload},'secret'),'enc-secret') const decode = crypto.AES.decrypt(token,'enc-secret') just an idea

@gihanrangana6248 Год назад

or we can encrypt the payload and put it inside the token

@d3line Год назад

@@gihanrangana6248 well, you get an encrypted and signed thing. What for? The issue is not "not enough encryption", the issue is weak secrets. And generally bad design of JWT and JWT libraries, but that's regarding other attacks. I really dislike JWTs, way too large of an attack surface, and a huge issue with revoking access once a token is granted, but too much hype.